Ransomware: 'To Pay or Not to Pay' Question Faces MedibankAlso: Security Vendor Layoffs Rising; Remembering Threat Intel Guru Vitali Kremez Anna Delaney (annamadeline) • November 3, 2022 16 Minutes
The latest edition of the ISMG Security Report discusses how Australian health insurer Medibank is deliberating on whether to pay a ransom to extortionists, analyzes the growing number of layoffs in the security vendor space, and shares a tribute to threat intelligence researcher Vitali Kremez.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Jeremy Kirk consider where Australia's Medibank should pay off extortionists and prevent the release of sensitive medical documents related to millions of Australians;
- ISMG's Michael Novinson explain the recent rise in layoffs at security vendors and where the market is headed.;
- ISMG's Mathew Schwartz share a tribute to Vitali Kremez, a renowned threat intelligence expert who died at age 34 in a suspected scuba-diving accident.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Oct. 13 and Oct. 20 editions, which respectively discuss the growing Zelle problem and how Russian-speaking ransomware gangs have a new target.
Anna Delaney: Ransomware: the pay or don't pay question facing Australia's Medibank, and more layoffs in the security vendor space. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. "Should Australia's Medibank give in to extortionists?" asks ISMG's executive editor Jeremy Kirk. The answer, it turns out, is not a simple one.
Jeremy Kirk: Should Australia's Medibank health insurer pay extortionists to prevent the release of sensitive medical claims documents related to millions of Australians? Medibank is in a no-win position. An extortion group says it stole 200 gigabytes of data, which the company says affects virtually its entire customer base of 4 million people. What should it do? Medibank could pay a ransom and the records may not be destroyed and sold on the sly anyway, but paying could prevent a mass data dump that's easy for lots of bad people to access. Either way, it's the most severe cyber criminal incident in Australian history. With file encrypting ransomware, many top-shelf consultancies vouch paying ransoms to recover data as a cost of doing business. This supercharges more acts of ransomware and extortion, it's pure real politic but a clinical tone-deaf view of criminal acts. The official advice from the Australian government has been not to give cybercriminals money. The last few weeks have been rough in Australia on the data breach front with back-to-back data breaches that have affected most of the country's population. There's a debate if Australia should outlaw paying ransoms. This is a bad idea for several reasons. It punishes cybercrime victims, it's difficult to enforce. Police should be fighting cyber criminals, not wasting time pursuing victims who paid, and finally, it will kill some businesses. Here's why the ransom question is so hard from a utilitarian perspective. Is it better for a small company to pay $800,000 in ransom in order to recover data and prevent the business from going bankrupt and having to lay off 60 employees? Yes, it is. But Medibanks' situation is different. The fact that data is in the cybercriminals' hands isn't an operational impediment, which is why many organizations pay. Instead, it's digital hostage taking. It's way worse than compromised driver's licenses, passports and Medicare numbers that were exposed recently in a data breach affecting Optus, which is the country's second-largest telecommunications company. If we choose that Medibank should pay, what's the value of preventing a sudden dump of 200 gigabytes of sensitive data? The lack of trust and control over what cyber criminals will subsequently do means that outrageously high ransoms don't make sense. Is it better that Medibank pays to prevent a mass release of records, but accept that it's likely some of the data will be sold away quietly anyway. Perhaps that may help avoid mass anxiety if the data is dumped on the internet. Another disadvantage of paying is that it usually invites more attacks from other groups. That means if Medibank doesn't get its IT security house in order quickly, it could find itself in the same position a few weeks down the road and Australia has already had enough on its plate the last few weeks. For Information Security Media Group. I'm Jeremy Kirk.
Delaney: Snyk, Varonis and Cybereason add to the list of cybersecurity vendors who have decided to lay off a percentage of their staff. I caught up with our business editor Michael Novinson to explain the growing trend of redundancies in the tech world. Great to see you, Michael. So there have been a string of layoffs at big cybersecurity vendors this week, including Snyk and Cybereason. What do we know so far?
Michael Novinson: Anna, thank you for having me. We've been seeing a number of layoffs over the past two weeks as vendors get their numbers in from the third quarter either ending September 30 if they're reported publicly, or ending October 31. And I think companies are having to reckon with slowing sales as well due to the economic downturn. So last week, we saw Snyk, who's in the application security space, as well as Cybereason, who's in endpoint security. They both disclosed the second round of layoffs, both laying off approximately 10% of their workforce. Each of them laid off over the summer, Snyk's was smaller, Cyberreason's was also of a decent size over the summer, then Forescout, who's in the IoT security space, announced both the CEO change as well as workforce reduction - an undisclosed number of employees. Then, this week, we've had two additional ones - Varonis, who's in the data security market, they're publicly traded. When they disclosed their earnings for the quarter ending September 30, they had said that they're going to be reducing their headcount by about 5%, which would be just north of 200 workers. And then most recently, Checkmarx, who's also like Snyk, in the application security market. They yesterday reportedly laid off roughly 10% of their workforce or about 100 employees. We had few major layoffs in June and July as the economic downturn was becoming a reality. And now, as companies are having to reckon with slowing sales stemming from rising interest rates, inflation, etc., we're seeing some companies go back to the well like Snyk and Cybereason to do additional headcount reductions. And then we're seeing other companies that maybe avoided layoffs over the summer having to look at trimming their workforce to deal with the new reality.
Delaney: And Forescout is an interesting case. You see CEO Wael Mohamed has exited after being in the role for just over 18 months. In March 2021, he became Forescout's third CEO in six months and his departure also, as you say, follows a round of layoffs for the company. But unlike Snyk and Cybereason, Forescout has not disclosed how many workers it has laid off. I welcome, Michael, your thoughts on this and any reasons as to why all the secrecy?
Novinson: So good question. And I guess nobody likes talking about the bad news, there's been a norm particularly for the venture-backed firms in recent months, especially if there are larger layoffs, they'll essentially post the message, the CEO emails their employees, they'll post it on the company blog a little bit thereafter to try to give a sense of transparency. Particularly, when you're talking about cybersecurity, there's a sense that companies should be transparent about what's going on. Nobody wants a security company that isn't trustworthy. So I think there's been a push from some of those venture-backed companies to try to be somewhat open about what's going on at their companies. To see them as such, it's going to try to put the best possible face on it, but at least to be somewhat open. Forescout took a different track. They also posted a blog. It wasn't authored by anybody, it was just a long description of what they've done over the past few years. And then the last paragraph, they make a reference to pursuing efficiencies, but never even use the word layoffs or disclosed how many people it is. So it's a bit unusual. I think people are understanding that the economy changed on a dime here, and the companies are having to adjust. So it's a little surprising that they perhaps weren't more open. In terms of the CEO changes you had alluded to, this is going to be Forescout's fourth CEO since September of 2020, which is not great from a stability standpoint, if you look at highly successful companies in any industry. Fortinet, Check Point and CrowdStrike, they've had the same CEO for many years. So to have this many leadership changes in such a short period of time isn't great. They presented it almost as an anticipated departure that the person who had stepped in, Wael Mohamed, in March of 2021, perhaps he was thinking of it as a shorter-term assignment. He was later in his career, and he was just helping to do a turnaround job. That was almost how they presented it that he had completed Phase one, and then somebody else was going to take Phase two. What is the point, it was an outsourced certainly, no illusions to that. He wasn't presented as a permanent long-term fix for the CEO role. So I can't say necessarily how anticipated this was, but they are in the market for another CEO and hopefully, for their sake, they'll find someone who sits around a little bit longer.
Delaney: So Michael, what happened because Forescout earlier this year said in a blog post that it's on track to achieve 80% recurring revenue, with both accelerating annual growth and profitability. So what went wrong?
Novinson: That's a fair question. When you're talking about data points, it gets hard when you're talking about companies that are privately held. Forescout when privated in August of 2020, they're bought by Advent International for 1.45 billion. So the challenge with private companies is that whatever stats they have are cherry picked. If you're publicly traded in the United States, you have to disclose a certain set of numbers as mandated by the U.S. Securities and Exchange Commission so investors and journalists and the rest of the community can see the whole picture. If you're privately traded, you can cherry pick whichever numbers make you look the best, disclose those and then say, "We're privately traded, where I can disclose anything else." It makes it hard to evaluate the overall health of a private company, because, for instance, they haven't disclosed any numbers around profitability, net income, either on a GAAP or non-GAAP basis. So, we do know that the investment community is prioritizing profitability right now. It's more opaque when you're talking about a private company. In terms of their market landscape, they've rebranded themselves a couple times in the past few years, they historically were IoT security. Then, following the Advent acquisition, they started calling themselves the Enterprise of Things or EoT, which was meant to be broader than IoT. Now, more recently, they're calling themselves autonomous cybersecurity. Automation has become a hot topic in the industry. But the idea of trying to figure out how to automate more of the prevention and detection task rather than just automated response and remediation. Their functionality hasn't changed that much. The legacy technologies run that network access control. There's a lot of competition there from Fortinet, who bought Bradford Networks. In the IoT, OT space, you have newer companies like Armis and Clarity and Nozomi Networks are also doing this, maybe working with slightly modern technology. So it's a tough market landscape that they face both in terms of big incumbents like Fortinet, as well as startups who may have slightly more modern architecture. So I don't know if they're gaining market share or losing market share, how they're stacked up against the rest of the industry. So it'll be interesting to see if there's any strategic changes as the new CEO comes to the helm.
Delaney: And what next? Are we likely to see more layoffs at other cybersecurity vendors? Or have we reached a peak?
Novinson: That's a good question. Unfortunately, I'm not having a great feeling. I'd hoped that given all the cuts we saw in June and July that that was everybody preparing for the downturn, and we were going to be on firmer ground. But these past two weeks have been very sobering. As we started to see the publicly traded companies report their earnings for the quarter ended September 30, that we're seeing companies lower their outlooks, we're seeing companies not meet their expectations for sales. So I would not be surprised, especially with some of these other public companies who missed their numbers. If they disclosed headcount cuts as part of their earnings announcement. It sounds a little morbid, but investors are often happy to see headcount reductions because it signals that the company is trying to get cost under control to focus on profitability. So if the company is going to get walloped by investors, because the numbers were bad, often they'll try to announce layoffs to soften the blow from investors a little bit. So I wouldn't be surprised to see other companies that are like Varonis, but it just seems like cybersecurity isn't immune to funding and buying patterns. If people are cutting back on spending, it does seem like it's affecting the cybersecurity sector at least a little bit. It's also harder to access money now with the rising interest rates. So if the sales are starting to decelerate, I fear we may see over the next month or so additional companies making layoffs, whether they disclose them or not.
Delaney: Well, it's something to watch. And Michael, always appreciate your excellent analysis of the business news. Thank you.
Novinson: Of course. Thanks so much for the time.
Delaney: Next we tend to ISMG's Mathew Schwartz. Matt, we just heard the sad news that Vitali Kremez, a threat intelligence expert living in the U.S. who grew up in Belarus, has died after a suspected scuba diving accident. You've reported that there have been a number of tributes pouring in for him.
Mathew Schwartz: Yes, it's a sad turn of events this week. Vitali reportedly went scuba diving Sunday morning in Florida, and was found dead on Wednesday after an extensive U.S. Coast Guard search and rescue effort. He was only 36.
Delaney: And we have the good fortune to have Vitali not just be a source for our reporting, especially on cybercrime, but also to occasionally drop into the ISMG studio.
Schwartz: Definitely. It was always fun getting to catch up with him. He had a passion for tracking cybercrime and the threat actors involved. At the RSA 2022 conference this year back in June, I got to sit down with him to discuss one of the biggest ransomware stories of the year: The Conti Group, which retired its brand name after its disastrous decision to publicly back Russia's February invasion of Ukraine. As we explored during the interview with Vitali and his colleagues at Advanced Intelligence, which is a boutique threat intelligence firm founded in New York City. We're closely tracking the Conti Group's activities, including it having launched multiple new groups, including Quantum Hive and Black Cat before the group's operators retired the Conti brand name. So one of Vitali's skills was in tracking cybercrime gangs operations, including the malware they were using, but another was seeing the big picture. And so I asked him, these ransomware wielding attackers that are making millions of dollars, some of them in annual revenue, do they ever decide they've made enough money? Do they ever try to go legit or maybe even just retire? And here was his response.
Vitali Kremez: It's a good question. Generally, this lifestyle that they have, it affords lots of luxuries, specifically, if you live in Eastern Europe, you can afford Lamborghinis, you can drive around the city and afford it. They're like oligarchs, live the lifestyle of the richest of the riches. So it's hard to go back to this lifestyle where you have to work hard and earn money the right way. So oftentimes, it's like once they get hooked into this business, it's hard to get away. The only ways we've seen them get away from this business is when the Russian intelligence or law enforcement agency recruited them for their own operations. That's what's happened with the creator of the Zeus malware, who we all suspect that he works with the Russian intelligence and law enforcement agencies now. So some of the most successful ones became forceful employees for Russian intelligence basically, and that's the way out.
Schwartz: So I'd like to end with the funnier side because Vitali had a great sense of humor. Right before interview at RSA in June, he had cut himself at the chin, shaving, so there we are. He's dabbed it away with a tissue, trying to get it to stop. Well, we got the crew, get everything set up for the shot, getting his microphone on and all that. But he's getting blood all over his white shirt. So in the midst of this, we cook up a Jason Bourne type cover story, if anyone asked, he had suffered a flesh wound, while battling cyber criminals in the streets of San Francisco to keep us all safe.
Delaney: There minus the fisticuffs, all true. Thanks for joining us for the ISMG Security report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.