National Security Agency warns against paying ransoms
Rob Joyce and David Luber, former and current directors of cybersecurity at the NSA, discuss how the ransomware attack on Change Healthcare exemplified the cons of paying ransoms.
SAN FRANCISCO -- The recent ransomware attack against Change Healthcare underscored how ineffective paying ransoms can be for victim organizations, according to National Security Agency representatives.
Rob Joyce, former director of cybersecurity for the National Security Agency, and David Luber, the NSA's current director of cybersecurity, led an RSA Conference 2024 session on Wednesday titled "State of the Hack 2024 -- NSA's Perspectives." Joyce and Luber covered a range of topics, including edge device security, ransomware payments, increasing threats to critical infrastructure and cloud security risks.
Several cybersecurity vendors observed record numbers of ransomware attacks in 2023, which reignited the payment ban discussion across the industry. Joyce and Luber stressed that whether to pay ransoms is an area of ongoing debate. One side of the argument is that paying ransoms should be a business decision because attacks are severely disruptive. Others stress that paying fuels further attacks and a ban would hinder actors' financial gains.
During the session, Joyce and Luber advised against making ransomware payments, especially after seeing the outcome of the Change Healthcare ransomware attack from February, which caused massive disruptions to the company's payment management platform and affected medical facilities and pharmacies across the country. The BlackCat/Alphv ransomware gang breached the healthcare organization through a Citrix portal that did not have MFA enabled.
Change Healthcare parent company UnitedHealth Group subsequently paid a $22 million ransom. However, Change Healthcare still experienced prolonged and ongoing disruptions for patient care and healthcare providers. A federal investigation into the attack is ongoing.
"I think we got a new data point from the Change Healthcare attack. They tried to pay a ransom, and in the end, surprisingly, the thieves ran off with their money and didn't give anything back," Joyce said during the session. "Understand that if you choose to pay a ransom, you may not be able to recover your systems with that payment. Instead, invest in recovery."
Luber added that the Colonial Pipeline attack in 2021 was a "wake-up call" and marked the first time the NSA viewed ransomware as a national security concern. Both speakers emphasized that ransomware continues to be a national security concern, further highlighted by the Change Healthcare attack. Luber said that it affected the economy and services for the healthcare sector across the nation.
If you ban ransomware payments, are you really going to ban payments or just enable a cut-out market that will third-party everything?
Mick BaccioGlobal security advisor, Splunk Surge
Mick Baccio, global security advisor for Splunk's Surge team, told TechTarget Editorial that while he supports a ban on paying ransoms, he believes it would push payments undergound.
"If you ban ransomware payments, are you really going to ban payments or just enable a cut-out market that will third-party everything?" he said. "I understand the banning, and I think it should happen. Create that cut-out market and then go stomp it."
Securing edge devices
Another security concern that's been highlighted by recent attacks is the significant threat to edge devices. Luber and Joyce said attackers target vulnerabilities and security weaknesses in edge devices because they are the entry point to a victim's network. With that access, threat actors can harvest credentials and maintain a persistent presence in the IT environment.
Cyber insurer Coalition released a report in April that detailed how edge devices posed a significant problem for policyholders last year. The report highlighted Cisco's Adaptive Security Appliance (ASA), which led to significantly greater risks for Coalition customers.
Joyce said an influx of CVEs were discovered in edge devices this year. Zero-day vulnerabilities "piled up" for some manufacturers such as Ivanti, which disclosed multiple zero days in its VPN products over a short period. The problem prompted Ivanti CEO Jeff Abott to publish an open letter promising to put increased focus on the vendor's security initiatives.
Rob Joyce, former director of cybersecurity at the National Security Agency (NSA) and David Luber, the NSA's current director of cybersecurity, lead an RSA Conference 2024 session Wednesday.
CISA was one of many victims affected by the zero-day attacks; Threat actors exploited Ivanti flaws earlier this year to breach the agency. Joyce said edge devices will remain popular targets because they are internet-facing and contain large amounts of data.
"Organizations should think about a broader set of security beyond the edge devices. When a CVE is found on an edge device, we need to patch -- and patch quickly," Luber said.
The speakers warned that edge devices are a focus for both ransomware groups and nation-state attackers.
Another area that attracts an array of attackers is the cloud. Joyce said that during the past five years or more, there's been a massive migration to the cloud, which makes it a big target for a variety of threat actors. He cited activity by the Russian nation-state actor tracked as Midnight Blizzard as one example.
Midnight Blizzard, also known as Cozy Bear and APT29, was responsible for the SolarWinds breach in 2020 and more recently attacked Microsoft and gained access to corporate emails, documents and source code. The breach affected the federal government, as Midnight Blizzard actors obtained email exchanges between agencies and Microsoft.
"Midnight Blizzard is exploiting cloud services in commercial products and manipulating trust we rely on across the U.S. and the government," Joyce said.
Joyce stressed that attackers target the cloud because the government and private industry trust the cloud to secure its sensitive data. However, he also said storing data in the cloud presents challenges, since mitigations can be more challenging compared with on-premises technology.
"We've got to know and have the trust in the cloud, because we lose some of our visibility into the environment," Joyce said." We don't always have access to the logs CVEs aren't issued. If you're using on-premises, you understand your flaws. We need to understand that in the cloud as we invest more in it."
Concerns about a lack of visibility into cloud vulnerabilities have grown in recent years, prompting some companies to increase collaboration with security researchers and improve documentation of such flaws. Jesse Dougherty, vice president of network edge services at AWS, told TechTarget Editorial that collaboration between AWS and its partners is important in the discovery and reporting of cloud vulnerabilities.
"We harden it through collaboration and proactive thinking. That makes a huge difference," Doughtery said.
Update: This article incorrectly stated that Joyce and Luber discussed the topic of a ransomware payment ban. The article has been corrected, and we regret the error.
Arielle Waldman is a Boston-based reporter covering enterprise security news.
