Halycon AI
Last Month in Security 003: Takedowns, Change Healthcare Updates and Proxy Attacks
In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Halcyon CEO John Miller to continue our examination of the recent Change Healthcare attack that crippled healthcare payment processes across the country.
We also delve into recent takedowns of two of the most prolific ransomware gangs – LockBit and BlackCat/ALPHV - and whether law enforcement actions will have any lasting effect on the onslaught of attacks.
And we touch on the dual nature of some of today’s ransomware attacks that serve a geopolitical strategy and offer plausible deniability for adversarial nations in addition to a revenue stream for criminal actors.
Parent company UnitedHealth Group estimates the cost of remediating the February ransomware attack Q1-2024 is $872 million, and said it expects the attack on Change Healthcare will cost $1.6 billion.
Those numbers are insane. But oh good, here comes the government to the rescue?
Senator Mark Warner (D-VA) has proposed legislation dubbed the Health Care Cybersecurity Improvement Act, that would require some healthcare providers and technology vendors to implement minimum cybersecurity standards.
Meanwhile, DHS published healthcare-specific Cybersecurity Performance Goals, and HHS is planning two regulatory changes that will implement cybersecurity standards for Medicare and Medicaid participation by way of updated HIPAA data security rules after more than 152M people were impacted in the attack.
And to make things more complicated, RansomHub – who may be a rebrand of BlackCat/ALPHV – is claiming to be in possession of data stolen from Change Healthcare and is further extorting the company.
But we did have some major takedowns by law enforcement against LockBit and BlackCat/ALPHV that may have contributed to a notable decline in attacks in the first quarter of 2024.
Yet, even after these actions, LockBit attacked Trans-Northern Pipelines, Prudential Financial, and LoanDepot (to name a few), and BlackCat/ALPHV hit Change Healthcare months after law enforcement takedown attempt, calling into question whether law enforcement alone is the right path for dealing with ransomware attacks.
There is mounting evidence that some of these ransomware operators may be acting as proxies for adversarial nations like Russia and China. The dual nature of a subset of ransomware attacks conveniently provides these nations with plausible deniability.
There is evidence of overlap between cybercrime and APT operations including shared attack infrastructure and tooling between cybercriminals and nation-state operators, and Chainalysis found that 74% of all revenue from ransomware attacks in 2021 went to attackers in Russia.
So why are Western nations afraid to call out the blatant connection between cybercriminal and nation-state operations? Do we need to invoke something like Executive Order 13224 where we designate some ransomware attacks as nation-state sponsored terrorism?
About Our Guest:
Jon Miller is the CEO and Co-founder of Halcyon and has spent 25+ years working in the cybersecurity industry. Prior to Halcyon, Miller was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government.
Before his work at Boldend, Miller held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy. Prior to Cylance, Miller was employee number 70 at Accuvant (now Optiv) where he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert.
Your Hosts:
Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO
Ryan Golden, Halcyon Chief Marketing O
In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Halcyon CEO John Miller to continue our examination of the recent Change Healthcare attack that crippled healthcare payment processes across the country.
We also delve into recent takedowns of two of the most prolific ransomware gangs – LockBit and BlackCat/ALPHV - and whether law enforcement actions will have any lasting effect on the onslaught of attacks.
And we touch on the dual nature of some of today’s ransomware attacks that serve a geopolitical strategy and offer plausible deniability for adversarial nations in addition to a revenue stream for criminal actors.
Parent company UnitedHealth Group estimates the cost of remediating the February ransomware attack Q1-2024 is $872 million, and said it expects the attack on Change Healthcare will cost $1.6 billion.
Those numbers are insane. But oh good, here comes the government to the rescue?
Senator Mark Warner (D-VA) has proposed legislation dubbed the Health Care Cybersecurity Improvement Act, that would require some healthcare providers and technology vendors to implement minimum cybersecurity standards.
Meanwhile, DHS published healthcare-specific Cybersecurity Performance Goals, and HHS is planning two regulatory changes that will implement cybersecurity standards for Medicare and Medicaid participation by way of updated HIPAA data security rules after more than 152M people were impacted in the attack.
And to make things more complicated, RansomHub – who may be a rebrand of BlackCat/ALPHV – is claiming to be in possession of data stolen from Change Healthcare and is further extorting the company.
But we did have some major takedowns by law enforcement against LockBit and BlackCat/ALPHV that may have contributed to a notable decline in attacks in the first quarter of 2024.
Yet, even after these actions, LockBit attacked Trans-Northern Pipelines, Prudential Financial, and LoanDepot (to name a few), and BlackCat/ALPHV hit Change Healthcare months after law enforcement takedown attempt, calling into question whether law enforcement alone is the right path for dealing with ransomware attacks.
There is mounting evidence that some of these ransomware operators may be acting as proxies for adversarial nations like Russia and China. The dual nature of a subset of ransomware attacks conveniently provides these nations with plausible deniability.
There is evidence of overlap between cybercrime and APT operations including shared attack infrastructure and tooling between cybercriminals and nation-state operators, and Chainalysis found that 74% of all revenue from ransomware attacks in 2021 went to attackers in Russia.
So why are Western nations afraid to call out the blatant connection between cybercriminal and nation-state operations? Do we need to invoke something like Executive Order 13224 where we designate some ransomware attacks as nation-state sponsored terrorism?
About Our Guest:
Jon Miller is the CEO and Co-founder of Halcyon and has spent 25+ years working in the cybersecurity industry. Prior to Halcyon, Miller was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government.
Before his work at Boldend, Miller held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy. Prior to Cylance, Miller was employee number 70 at Accuvant (now Optiv) where he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert.
Your Hosts:
Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO
Ryan Golden, Halcyon Chief Marketing O