Srsly Risky Biz: Tuesday, December 1

Ransom payouts spell trouble for insurers, Plenty of heart - and a hole - in NYT ransomware story, A snap cyber audit for Australia's banks

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

Ransom payouts spell trouble for insurers

Ransomware attacks are so rife and so costly that insurers are exploring ways to exclude ransom payments from their policies.

Seriously Risky Biz understands some providers are attempting to shelter themselves from these losses, either by excluding extortion events from standard cyber insurance coverage or by introducing onerous new conditions on policyholders.

The trouble for insurers started in 2019, right around the time that human-operated ransomware attacks and the size of the ransoms ballooned. Risk management firm Aon recorded a 12.7% increase in loss ratios [pdf] across 192 US providers of standalone cyber insurance products. This hit on insurer profit margins was initially offset by an influx of new policyholders taking up cyber insurance for the first time. But ponzi-style growth can only be sustained for so long.

We expect 2020 figures, once tallied, will spell trouble for the insurance sector. Ransomware has matured into a highly-profitable business, characterised by:

  • Easier access to victims: specialised "initial access brokers" are reaping good profits by selling access to compromised environments to ransomware crews. Meanwhile, botnets historically used for spreading banking trojans have switched to delivering a ransomware payload.
  • More attackers: affiliate programs (ransomware-as-a-service) provide a greater number of attackers access to ransomware tools.
  • Faster, more destructive attacks: where the time between initial infection and deployment of a ransomware payload used to be measured in days, these days it is measured in hours.
  • More pressure: many ransomware operators now publish 'leak' sites to pressure victims to pay up;
  • More expensive attacks: ransom demands have grown 100% year on year, and continue to grow at over 40% every quarter [pdf].

A November 2020 report by insurer Allianz [pdf] noted a sustained increase in the number of cyber-related insurance claims in the first nine months of 2020, with "business interruption" events making up 66% of those claims. Attacks have only intensified since: this week alone there are reports of attacks on US-based fibre optic cable provider Belden, Baltimore County Schools,  US Fertility, The County of Delaware (Pennsylvania), Steelcase, Danish news agency Ritzau, Taiwan's Advantech and logistics company Rand McNally.

The impact of ransomware losses on the cyber insurance market "cannot be overstated", AON analysts noted in an October 2020 report [pdf].

Standard and Poor’s predicts cyber security insurance premiums will need to rise by 20-30% a year from 2021 (compared to a growth of 11% from 2018 to 2019) if these costs keep escalating. S&P has already observed a growing number of cyber insurance policies that exclude ransomware and business email compromise events.

Aon somewhat optimistically suggests its fellow insurers "move to an enforcement regime" under which insurers make ransomware coverage conditional upon the insured taking up specific products and services. In one Aon/Allianz tie-up, the insured must submit to an upfront security assessment from Aon, license a bundle of preventative controls (EDR, network proxies, email filtering) and restrict themselves to Mac/iOS endpoints. Remove Windows and Android and you're in!

The more likely outcome is that insurance for ransomware events will increasingly be broken out into a separate, prohibitively expensive policy, or will only be covered as an insanely expensive checkbox option.

Plenty of heart, and a hole, in NYT ransomware story

The New York Times has gone long-form with a story on the human cost of an October ransomware attack on the University of Vermont Medical Center, interviewing frustrated medical staff and patients whose life-saving treatments were postponed.

The story revealed that it has taken the better part of a month to bring the hospital network's electronic records system, 1300 servers and 5000 laptops back online.

The Times also claims that the FBI forbade hospital administrators from discussing whether the hospital received a ransom demand. Reporters Ellen Barry and Nicole Perlroth used that to imply that the motivation for the attack "wasn't clear", playing into the narrative that the three-day campaign of attacks on US hospitals was a deliberately destructive act of revenge over the TrickBot takedown, rather than an act motivated by profit. That's a huge (and unsubstantiated) claim, with profound implications for how the United States might choose to respond.

Reliable sources have since told us that the Ryuk attack on the University of Vermont did, in fact, include a ransom demand.

It's a common practice for companies disrupted by these attacks to explicitly avoid mentioning "ransomware" in the early stages of their response. That's consistent across a range of recent Ryuk victims including Universal Health Systems, Steelcase and Baltimore County Public Schools. See Belden's more recent statement: 350 words on an attack and no mention of ransoms. The absence of detailed victim statements in these incidents say nothing about an attacker's motivations. Rather, it says a lot more about the complexity of negotiating with extortionists.

That aside, the human interest elements to the NYT piece still make it a compelling read.

Regulator demands snap security audit of Australia's financial services sector

Australia's prudential regulator has declared a one-off cyber security audit of all regulated companies, in response to concerns that the country's banks, insurers and other financial institutions have been paying lip service to their cyber security obligations.

For the last 18 months, APRA has obliged Australia's financial service providers to self-assess their security against a prudential standard called CPS 234 [pdf]. This demands board ownership of cyber risks and adherence to a baseline of infosec controls such as an information security policy, a register of critical assets, control effectiveness testing and an incident response capability. All of these obligations must be tested in routine audits.

APRA's executive board member Geoff Summerhayes said on Thursday that he's dissatisfied with how the industry has tracked against these obligations. APRA found that audits were often superficial and performed by personnel that lacked the necessary skills, while boards often struggled to comprehend or act on cyber risks. "We're no longer prepared to simply take their words for it," he said. "We want compliance independently verified."

APRA is now asking 680 Australian firms to not only engage an external audit firm to review compliance with the prudential standard, but to share the resulting report with APRA. Where  the regulator finds "sufficiently material gaps", it will compel the organisation to devise a rectification plan. If that plan isn't met, APRA will take punitive action.

In announcing this hard line, Summerhayes also made a play for APRA to take on a broader role as a cyber security regulator. As we've previously reported, Australia's Department of Home Affairs wants the security of several unregulated industries brought to heel under its critical infrastructure security strategy, and has signalled that it will step in and regulate wherever an existing market regulator doesn't provide sufficient supervision.

Summerhayes said APRA desires to "extend its influence" beyond banking, insurance and superannuation (pension funds) to include fund managers, payment platforms and software vendors.

Someone call the waaaambulance: Russia threatens bans on YouTube, Facebook and Twitter

A bill before Russia's Parliament proposes to ban social media companies that flag posts published by Russia's State-owned media enterprises, arguing that the practice discriminates against Russian organisations.

YouTube started labelling state-owned media in 2018, and Facebook and Twitter followed suit to counter election-related disinformation campaigns earlier this year.

Russia's Parliament has debated whether to ban Western social media companies on several occasions, long before these content moderation practices were introduced. In that context, the proposed bill is as much about a struggle to control media consumption at home as it is about fair access for Russia's mouthpieces abroad.

Many Russians (at least 80 million of them) choose to get their news and entertainment from Google-owned YouTube. Foreign-owned social media and messaging apps offer opportunities for Russians to hear directly from Putin's critics, something that isn't going to fly on state-controlled television or on native Russian social media platforms owned by Putin-aligned oligarchs.

So it's difficult to assess how seriously to take Russia's threat. Past efforts by the Russian Government to block E2EE apps or fine foreign tech companies didn't have much of an effect on usage patterns. Russia's control of its information environment isn't absolute.


The AFP's Cybercrime Operations team is on the hunt for technical analysts and technical officers. These are roles where your technical expertise can contribute to investigating and prosecuting computer-related crimes. This isn't "guns in holsters" stuff, it's "computer exploitation" and "overt and covert intelligence collections" territory. There are a range of roles available in Canberra, Sydney and Melbourne (today) and Brisbane and Perth (from July 2021).

Speaking of working for the fuzz, did you know they have their own bank? Police Bank is looking for a Head of Security in Sydney. Details are in the link below.

COVIDSafe gets a makeover

The Australian Government has finally admitted that COVIDSafe -- the country's contact tracing app -- has not provided the Bluetooth performance required to be effective for tracing close contacts.

This newsletter has since May 2020 argued that COVIDSafe was a mistake: it’s developers tried but ultimately failed to circumvent privacy restrictions built into Apple's mobile operating system.

Many hoped that, like Austria, Canada, Germany, Ireland, Switzerland and the United Kingdom, Australia would shift its 7.1 million COVIDSafe users onto an updated version that made use of Apple and Google's Exposure Notification (GAEN) framework, which was explicitly designed to build exposure notification capabilities into the operating system. GAEN, while imperfect, prioritises user privacy and provides transparency in ways COVIDSafe doesn't. A peer-reviewed academic study shows that the Swiss implementation of the framework has provided an effective tool that complements traditional contact tracing processes.

But this week, the Australian Government announced it has swapped out the Bluetooth protocol COVIDSafe inherited from Singapore's OpenTrace, and will again play the role of first adopter for a new protocol called Herald. Herald was developed by an engineer in VMware's Pivotal business unit, Adam Fowler.

Fowler claims to have circumvented the OS limitations that made iOS-to-iOS detections unreliable. Some of these workarounds go against the designed intent of several operating system features, such as location services. Another trick is to use nearby Android devices as a relay to connect two iOS devices running the app in the foreground.

The Australian Government claims an updated COVIDSafe can detect encounters between two locked iOS devices more than 80% of the time.

We'd like to take the government's word on this. But given the record of Government Services Minister Stuart Robert, whose spokesborg falsely claimed that the EN framework "puts health information in the hands of IT companies" and that it "offers less device compatibility than COVIDSafe", we'll reserve judgement until its been independently verified.


The original version of this newsletter incorrectly claimed that the Herald Bluetooth protocol being adopted by Australia’s COVIDSafe app was conceived for the UK’s abandoned NHSX contact tracing app. VMware reps contacted Seriously Risky Business to ask that we describe the two projects as independent.

I originally linked them because they were developed by the same VMware business unit in the UK, and because one project commenced two weeks after the other was abandoned. But I can see why – given that they each were developed in partnership with different entities – VMware would need them to be treated distinctly. FWIW, the two projects are credited to different authors and are written in different languages. I’ve removed the offending sentence.

It’s also become apparent that COVIDSafe developers were selective about what Herald functions they borrowed: they aren’t calling it as a library, but cutting and pasting parts of the codebase into COVIDSafe. So at this point, COVIDSafe isn’t using nearby Android devices as a relay to record proximity events between iOS devices. Now we are genuinely confused by what the Herald integration achieves: friends in iOS development haven’t yet managed to record a proximity event between locked iOS devices since the update.

You've got mail

From: Lazarus Group (North Korea)
To: AstraZeneca
North Korea-aligned attackers have tempted vaccine researchers at British drug manufacturer AstraZeneca with offers of lucrative job opportunities sent over LinkedIn and WhatsApp, followed up with malware-laced job descriptions. The attacks were reportedly unsuccessful. It follows the same playbook Lazarus has used against defence and aerospace companies since at least mid-2019.

From: Mustang Panda (China)
To: Vatican City
China’s state-backed attackers continue to attack the Catholic Church, even after being called out for attacks on the Vatican in June. In the most recent campaign, Mustang Panda impersonated journalists at church-funded publications and sent malware-laced emails to church officials just as Beijing and Vatican City undertook sensitive negotiations over who gets to appoint bishops in China.

Another Australian state uses payment data for contact tracing

South Australia used payments data to identify people exposed to COVID-19 during a recent outbreak. The state's Chief Public Health Officer Nicola Spurrier told reporters that "it took some to get credit card details" to help contact tracers find at-risk persons during the incident.

Three fewer "Yahoo boys"

Three men arrested in Nigeria are accused of spraying 50,000 organisations with malspam campaigns and using infected devices to run a Business Email Compromise racket.

NetWalker attacks Aussie eDiscovery firm

The NetWalker ransomware gang threatened to publish documents stolen from Law In Order, an Australian-based provider of eDiscovery and other legal services. Law in Order handles eDiscovery cases for Allens and King and Wood Mallesons, two of the largest law firms in the Asia Pacific region, whose blue chip clients include governments and defence contractors. Knowingly or not, this cybercrime gang is poking around in some very sensitive places. The ACSC and Australian Federal Police have been called in.

Home Depot settles over 2014 breach

US retailer Home Depot has settled with 46 US states, agreeing to pay a US$17.5m fine over a 2014 incident in which attackers stole 56 million customer records from its point of sale network. The total cost of the breach to Home Depot now exceeds US$200 million.

The crazies are out for Krebs

Fired by the US President via a tweet, former CISA director Chris Krebs took his story to 60 Minutes over the weekend. President Trump's campaign lawyer responded with great class, telling the Howie Carr show that Krebs "should be drawn and quartered" and "taken out at dawn and shot" for saying that the election was conducted fairly.

Has someone been watching too much Breaking Bad?

Iran's semi-official news agency claims that an Israeli hit on its top nuclear scientist was conducted by a remote controlled machine gun attached to a car, which then self-destructed after the incident. The New York Times, by contrast, reports that up to 12 Israeli operatives did the deed. Either way: yikes.