Fraud Management & Cybercrime , Healthcare , Industry Specific
ISMG Editors: Ransomware - The Growing Public Health Crisis
Also: Anticipating Donald Trump's Second Term; a Surprising Cybersecurity Merger Anna Delaney (annamadeline) • November 15, 2024In the latest weekly update, ISMG editors explored the growing threat of disrupted ransomware attacks as a public health crisis, the potential global impact of Donald Trump's second presidential term, and the implications of a latest big merger in the cybersecurity solutions market.
See Also: Unified SASE: The Third Era of Network Security
The panelists - Anna Delaney, director, productions; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; Chris Riotta, managing editor, GovInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discussed:
- Why officials fear ransomware attacks on healthcare by mostly Russian-affiliated groups are creating a public health crisis with global implications;
- How the second Trump term could lead to shifts in global cybersecurity activity, and which sectors should remain particularly vigilant;
- The Cybereason and Trustwave merger, highlighting its potential to create a cybersecurity powerhouse by bringing together leading MDR, EDR, DFIR and threat intelligence capabilities - while acknowledging challenges in market competition and service integration.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 1 edition on law enforcement’s ransomware crackdown and the Nov. 8 edition on U.S. election impact on cybersecurity, HIPAA.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll discuss ransomware as a public health crisis, the potential global ramifications of the second Trump term and a major merger in the cybersecurity industry. The great team joining me today is Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; Michael Novinson, managing editor for ISMG business; and Chris Riotta, managing editor for GovInfoSecurity. Marianne, let's start with you this week. Ransomware has been declared a public health crisis, with Biden officials and 54 UN member states calling for global action as attacks on hospitals like the recent embargo case escalate risks to patient safety. We've discussed numerous ransomware attacks on healthcare this year alone. What's your perspective on the current ransomware landscape in healthcare, and what are the broader implications of these developments?
Marianne McGee: As our colleague Mat Schwartz reported, last Friday, Anne Neuberger, the Biden administration's Deputy National Security Advisor, in a briefing at the United Nations Security Council, called out Russia for the vast number of cyberattacks being targeted at U.S. and elsewhere, especially in healthcare. She accused Russia of allowing ransomware actors to operate from their territories with impunity, even after they've been asked to rein it in. Last year, two cyber criminal groups linked to Russia - BlackCat and LockBit - accounted for more than 30% of the claimed healthcare ransomware attacks worldwide, Neuberger said. She also mentioned that the U.S. Department of Justice in May charged the developer and administrator of LockBit, Russian national Dmitri Khoroshev, with 36 federal crimes related to hacking. But Russia does not have a policy for extraditing Russian nationals, so it's highly unlikely that Khoroshev will ever see the inside of a U.S. courtroom.
Neuberger emphasized that ransomware attacks targeting healthcare sector entities often result in major disruptions that jeopardize patient care and access to medications, increase the length of patient stays, force the transfer of patients to other facilities, and ultimately cost lives. She noted that health experts have estimated that ransomware attacks have been responsible for the deaths of dozens of patients just in the U.S. due to such disruptions.
In 2024, LockBit claimed credit for cyberattacks on hospitals outside the U.S., in Croatia and France. BlackCat was behind the record-breaking ransomware attack on United Healthcare's ChangeHealthcare IT Services Unit which disrupted the U.S. health system for months and resulted in a data breach affecting at least 100 million people, about a third of the U.S. population.
There are other Russian affiliated groups targeting healthcare. Russian-speaking ransomware group Qilin claimed responsibility for the June attack on pathology laboratory services provider Synnovis in the U.K., which forced the postponement of over 10,000 patient appointments and procedures at the National Health Services hospitals in London. The ransomware attack also triggered a national shortage of type O blood in the U.K. Russian-speaking ransomware-as-a-service group Black Basta claimed to be behind the May attack on U.S. hospital system Ascension, which disrupted patient care at many of its facilities across several states for weeks.
During the UN Security Council meeting, 54 UN member states, including the U.S. and U.K., signed a joint statement saying that they are deeply concerned with the frequency, scale and severity of ransomware attacks against critical infrastructure, particularly hospitals and other healthcare facilities. The statement calls upon all UN members to collectively work together to strengthen cybersecurity and resilience of their critical infrastructure and to work together to confront and disrupt ransomware threats, especially those targeting healthcare and emergency services.
Meanwhile, between the upcoming changing of guard in the White House and President-Elect Donald Trump's seemingly friendly relationship with Russian President Putin, it's hard to predict at the moment what might happen in terms of Russian-affiliated cyberattacks on the healthcare and other sectors, and the response that the U.S. and other nations might take moving forward. The healthcare sector and other critical infrastructure segments are still under threat, whether from Russia or other nation states. It's still a scary situation, especially for patients.
Delaney: Have there been any recent examples of ransomware incidents in the sector that have surprised you in terms of scale or methods used?
McGee: The attack on United Health Group's Change Healthcare IT Services Unit in February had disruptions that affected thousands of doctor practices and healthcare providers in terms of basic things like checking eligibility of patients for insurance. There were disruptions in prescriptions getting filled, and a lot of these entities couldn't bill, so they were forced to take loans out. It was a massive disruption, but also a massive data breach. It was amazing to most people, even those in the healthcare sector, how that one attack could affect so many entities for so long and have such a vast impact across the U.S. population in terms of the data that one company has in its systems. That's the biggest surprise so far this year. Hopefully something like that won't happen again, but regulators and others are worried about those other companies being under attack.
Delaney: Chris, on the last Editors' Panel, we discussed how the recent U.S. election results could impact U.S. cybersecurity policy and healthcare privacy. This week, you've examined the potential global ramifications, particularly how international threat actors might respond to these changes. What's your take on this?
Chris Riotta: There's no question that Trump's return to the White House is going to bring significant changes to U.S. technology and cybersecurity policy. A lot of folks have told me that there will be new federal approaches to regulating AI, changes in industry investment. We saw during Trump's previous administration a multi-faceted approach to tech policy. His team launched anti-trust lawsuits against Google. There was really this strong emphasis on taking on Chinese tech companies emphasizing National Cybersecurity through stronger public-private partnerships. But we also saw Trump fuel disinformation around COVID-19 and election integrity. Experts say that his next presidency could bring a chilling effect on the naming and shaming policies aimed at Russian threat actors, a tactic that the U.S. intelligence community has really aggressively pursued under the current administration.
Since President Joe Biden took office, the Department of Justice has filed complaints and conducted law enforcement actions against Russian cybercriminals, including those responsible for software designed to steal personal and financial data. We already know the World Cyber Crime indexes, and as Marianne laid out, Russia is the leading source of global cybercrime and the top hub for digital threat actors worldwide. Trump obviously has a favorable relationship with the Russian president than the current administration. Experts are saying that Trump's stance and policy towards Russia could sort of allow this potential emboldened Russian hacktivism, intensified cyberattacks on Western allies, an uptick in AI-driven disinformation in conflict zones.
A second Trump presidency could really even heighten cyberthreats in the Middle East, with regional groups potentially escalating attacks on Israel's allies and Iran covertly targeting Western infrastructure to sort of weaken support for Israel during its conflict with Palestine. The global and domestic cyberthreat landscape could sort of reach new intensity as a whole during a turbulent political transition in these next couple months in between administrations.
Experts who I've spoken to, including Neal Higgins, a former Deputy National Cyber director for cybersecurity, emphasized that adversaries will seize any opening to advance cyber and information operations against U.S. critical infrastructure, the economy, political systems. Neal said that this makes it essential that over the next couple months, that there's transition operations in place, and that we really not let our guard down during this turbulent time.
Trump has yet to announce his key cyber appointments in his transition team, but experts already expect a shift in the federal approaches from everything to AI regulation, industry investment and national security. Threat actors, they suggest, will likely target NATO governments seeking to exploit the uncertainty that comes with the Trump term around the alliance's direction. We remember from the last Trump administration, it was very hard on NATO, and we can expect to see that continue.
Experts also warn of increased aggression from China and potentially North Korea. Beijing is likely to intensify cyberattacks on critical infrastructure, possibly similar to the recent Salt Typhoon campaigns. In October, Congress demanded action from telecom giants after suspected Chinese hackers linked to Salt Typhoon reportedly breached major broadband providers' infrastructure, including systems handling court-authorized wiretaps. With the change in guard in Congress, it'll be interesting to see how those investigations continue, if they do continue. North Korea is expected to continue its cyber-focused pursuit of cryptocurrency funds, using the revenue to further invest in its own advanced cyber capabilities, and ransomware groups could make a comeback if international anti-ransomware initiatives established under the current administration lose their momentum, potentially leaving key sectors vulnerable to heightened ransomware threats. This, among many of these other potential activities among global threat actors, they're a big what if, or a big if Trump chooses to kind of turn a blind eye to heavily Russian-linked threat actors due to his favorable relationship with Putin.
Delaney: Given the anticipated shifts in global cyber activity, which regions or sectors do you think need to be most vigilant right now?
Riotta: Critical infrastructure always and will always remain a sort of top target. During Biden's term, the U.S. issued numerous indictments and launched a series of law enforcement actions against Russian operatives, that sort of naming and shaming that we discussed earlier. Security researchers have told me that Trump's return could sort of further embolden the Kremlin, prompting escalated attacks on Moldova and other nations edging toward EU membership or aligning with Western policy.
Russian cyber activity in the Balkans has already begun targeting government systems and critical infrastructure to destabilize infrastructure and weaken ties with the West. Experts suggest that an emboldened Russia could increase attacks on Balkan states, Georgia, Moldova, while ramping up AI-powered disinformation campaigns across Western Europe. They've said that Russia has targeted countries like Kosovo for supporting Ukraine, and actions towards Moldova have really been with the goal of undermining trust as those countries are shifting towards the EU.
Critical infrastructure will remain a huge target over the years to come, particularly if China chooses to flex its positioning in U.S. critical infrastructure systems amid any potential conflict, perhaps with Taiwan, potentially showing that it can sort of shut down major components of U.S. critical infrastructure, even if only temporarily, to sort of warn against military engagement in the region.
One thing I'll be watching very closely is how Trump chooses to leverage CISA, which is actually one of the federal government's youngest agencies, but really plays such a critical role in securing critical infrastructure and building those critical public-private partnerships in defending critical infrastructure, since so much of it is privately owned and operated. Trump fired his previous CISA director for accurately stating that the 2020 election was secure. Those are comments that were similarly echoed after this election by the current CISA director. So we will just have to wait and see how the next administration chooses to utilize that agency.
Delaney: Michael, in cybersecurity business news, you've reported this week that Cybereason and Trustwave are joining forces to build a powerhouse in cybersecurity, combining their strengths in detection, forensics and threat intel. What's your take on this merger, and what do you think this move signals for the cybersecurity landscape?
Michael Novinson: Thank you for the opportunity. Consolidation is one of the most misused terms in cybersecurity. There's a tendency to call anytime there's an acquisition consolidation - even though most acquisitions are pretty early startups with a couple dozen employees, a few million in revenue getting bought. And that doesn't really consolidate anything, it's just a new piece of technology, the founders go and create a new startup, and you're right back to being unconsolidated. But from time to time, we do see these more strategic level deals where you're seeing large, mature companies who've specialized in different security technology categories coming together, or companies that have some overlap trying to come together to create scale.
We'd seen decent amount of consolidation in previous years around identity. We'd seen companies like Thycotic and Centrify come together in privilege access management to form Delinea. We've seen more recently, Ping Identity and ForgeRock come together to be Ping, but to be larger in that identity and access management space, and now we're starting to see it more outside of identity.
A couple weeks ago, we had Sophos buy Secureworks. These were two cybersecurity companies founded in the 20th century, coming together, which you do not see often. Really the idea of bringing Sophos' expertise around products, whether that's endpoint, network email, together with Secureworks, which is focused more on the services side - their heritage being in managed security services, and then moving into MDR, XDR, more recently. So really, getting that product and services under a single umbrella, obviously, that allows them to compete more effectively against the likes of a CrowdStrike, which does both technology and services as SentinelOne, as well as Microsoft, who's really the goliath given their size.
Fast forward to this week, and we've now seen a similar move, with Trustwave, as well as Cybereason coming together. On the Cybereason side, it's been clear that company has been struggling for several years now. They missed their window to go public. They were, at one point valued at $3.3 billion then less than two years later, had to cut their valuation to $300 million. Their founding CEO left, SoftBank, which had been the lead investor of early in the company's days, Steve Mnuchin's firm took a big stake when they were valued at 3 billion, then Liberty Strategic backed up, so SoftBank became the biggest investor at the smaller valuation. The company's headcount is down nearly 50% from its peak in early 2022. The endpoint security market is very crowded and just wasn't really a space for one more entrant, even if they had decent technology. Softbank was trying to figure out what to do with them. Softbank itself has had a whole bunch of issues, notably that they put a ton of money into WeWork, which did not work out very well, obviously, and then had actually withdrawn money that they'd invested into OpenAI in the early days to further fund WeWork. So Softbank has had its own financial difficulties, so trying to find a way to rationalize some of its investments so clear that they were looking to try to figure out what to do with Cybereason, because it was pretty apparent an IPO was not going to be in their future.
So enter Trustwave. This is the part that's more surprising. Trustwave had been owned by a conglomerate out of Singapore called SingTel. Bought them for 770 million in 2015. It was an era where you just had a bunch of these conglomerates, particularly in Asia, just stacking up cyber companies, thinking that it was going to be part of the big stack. They didn't perhaps appreciate how different the go-to-market motion is, how different the product development lifecycle is in cybersecurity, versus all the other areas they're in. And just these things often languished. SingTel had been looking to get rid of them for several years, according to media reports, and then finally sold them to MC2, which is essentially the private equity arm of the Chertoff Group, for 205 million. So the company's valuation went down about 75% over the course of SingTel ownership. And headcount is also down, not as much as Cybereason, but down 25% or 30%.
Trustwave's only been owned by MC2 at this point for 10 months, and now we're hearing that actually MC2 is going to go sell them to SoftBank. SoftBank's going to be the majority owner, and that is going to bring these two entities together. So certainly, I think this is really a cost energy play that obviously there's a whole lot of back office expense you can take out in terms of GSA, legal, HR, finance, all of that type of stuff can be synthesized. Certainly have to imagine that on the go-to-market side, that you can have the same folks selling both stocks. And then also on the technology side, you have some overlap in MDR, that Trustwave is probably more mature, but Cybereason also invested in MDR. You have to assume the company's not going to go forward with two MDR offerings. So one will be sunset. The employees who are working on that will be affected. I really do honestly see this as a cost takeout play. I mean, you look at somebody like Trustwave - they were worth $205 million in January, they employ more than 1100 people. And that's the challenge with services in general, that unlike technology, it doesn't scale the same way. In order to deliver more services, you have to hire more people. But that ratio of 1100 employees for a $200 million valuation is not great. And SoftBank's been pretty aggressive about cutting headcount at Cybereason and other companies, I have to imagine that they're going to be pretty aggressive here in terms of trying to create a company with more revenue and that addresses more markets, but is doing so in a more profitable way. Obviously, I think the hope would be, from a SoftBank standpoint, that 2 to 3 years down the road, they have a company that has a larger revenue figure, can say that it plays in more markets and that the financials are better, and then that they can facilitate their exit out of this.
Delaney: What are the challenges you foresee for the combined company as they integrate their services and capabilities across different regions?
Novinson: Even with the two of them being together, it's still not a tremendous degree of scale. In terms of the most recent market share data from IDC, Cybereason is not even in the top seven. And the ones to number seven, they're growing fast. Cybereason is way down there, and then in terms of MDR, you're just having to compete against companies that have moved into MDR, like Microsoft and CrowdStrike and SentinelOne. I have the feeling Palo Alto Networks is increasingly playing there as well, and that's just hard. People are looking to use fewer vendors, and especially when you're talking about an MDR stack, this is not a startup, this is a company that's been in the space for a long time. You're talking about a legacy MDR staff that you're having to acquire on more of a standalone basis, versus the platforms that the larger players can have. I think it's - even with this merger - hard to get the critical mass that's going to be needed, and I think beyond that, it's going to be just the standard challenges with mergers, in terms of figuring out in areas of overlap. Who do you move forward with? How do you maintain customer retention? .
They're planning to have the companies operate independently, which sounds very strange that they're merged, but they're operating independently. I'm assuming that's more on the front-end, that it's like, for those of us who live in the United States, that Marianne and I can go to Stop and Shop, Chris can go to Giant, but they're the same - they're both owned by the same entity. It's the same entity, just with a different brand on the front. And I'm assuming when they say they're going to operate independently, it means whenever if you're buying an endpoint security technology, it's called Cybereason. If you're buying MDR, it's called Trustwave, but it's essentially powered by the same back end.
Delaney: Finally, and just for fun, if you could give AI a voice - celebrity or otherwise - for your security alerts, whose voice would you choose and why?
McGee: I would pick James Earl Jones. Anything that would wake you up.
Riotta: I went a completely opposite direction. I thought Morgan Freeman, but I would want him to provide a little message of hope after the alert. Or at least tell me what the patch is.
Novinson: The late football announcer John Madden, because I just enjoy his nasally, high pitched voice and him explaining things that you already know. That would be perhaps a bit more lighthearted, though maybe folks wouldn't take it quite as seriously as the other suggestions.
Delaney: I'm going with the genie from Aladdin, Robin Williams style. Lots of energy, surprise, good humor. That's what you need on a daily basis to cheer you up. Thank you all for your insights. It's been great stuff.