Greg Scasny is the CTO of Cigent Technology, a company that specializes in preventing cyberattacks. He is also the luncheon speaker at Radio Ink’s Forecast 2022. We reached out to Scasny about the Marketron attack to get his thoughts on what radio stations should expect as Marketron deals with the situation.
Radio Ink: What do you know about Blackmatter?
Scasny: Blackmatter is the successor to the now defunct ransomware groups Darkside and REvil. Those “groups” are known as “Ransomware As A Service” organizations. That means they are not the ones actually carrying out the attacks, but they lease their ransomware capabilities to other cybercriminal groups that carry out the actual attacks, and collect a fee based on the amount collected.
Blackmatter has described themselves as “looking for deep-pocketed organizations with revenues of more than $100 million: the size of organizations that could be expected to pay big ransoms“ and the project has incorporated in itself the best features of DarkSide, REvil, and LockBit.
One area of interest is the types of organizations that Blackmatter has vowed not to target: hospitals, critical infrastructure facilities, Oil and Gas, Defense industries and Not for profits are supposedly on the do not touch list, but realize they are criminals, so be careful who you trust.
Radio Ink How long do you think something like this will take to get the situation back to normal?
Scasny: That’s hard to say. Even when companies pay the ransom, it can take weeks and months to get systems back to normal, if they ever get back to normal. The cost can be immense as well. Scripps Health was offline for weeks, and the lost revenue alone was over $100 million. It really depends on how deep the attackers got, and how long it will take them to recover from back-ups, assuming the attackers didn’t encrypt or remove any backups they have.
In addition, it will take time to complete cyber-forensic investigations on how long the attackers had access to their systems, because even if they have viable backups, if the malware or remote access methods the attackers use were then backed up, they would be restoring systems that the attackers could then get back into and re-encrypt. Unfortunately, nothing about recovering from a devastating cyber attack is quick.
Radio Ink: What should radio stations and radio companies be worried about after reading this note from Marketron?
Scasny: Every business should be concerned about cyber attacks. While groups like Blackmatter are looking for the big phish to get large payoffs, there are thousands of other threat actors who will gladly ransom any sized company to get a payoff. No one is immune.
Radio Ink: Why do you think this happened? Is it 100% avoidable?
Scasny: It happened because these ransomware operators are out to make money. They will relentlessly target organizations to find any way into their networks. The larger and more tech-focused the organization is, the larger it’s attack surface is and the harder it is to defend. Marketron is a large company, which put them right in the crosshairs of the newly formed Blackmatter group and their affiliates.
There is nothing that is 100% avoidable. But it’s my opinion that with enough monitoring of security telemetry, this is detectable and could be stopped prior to it becoming a full scale ransomware incident. That’s just an opinion and nothing has been released on the root cause of the incident.
Reach out to Greg by e-mail at [email protected] or by phone at 305-767-3853.
The day has come where even having redundant off site backup doesn’t mean you are fully protected anymore. This is very scary for all businesses that rely on digital services online.
The thing people/organizations should realize is exactly what you said – offsite backup is just another connection that the attackers can detect, and remove/encrypt during a successful attack. Attackers today are extremely IT savvy, and know how IT operations work, and will perform the necessary reconnaissance to find out every avenue a company has to recover operations and disable those avenues so that a company has to pay the ransom. Luckily those operations are detectable, companies have to employ the right monitoring telemetry to detect and respond to those attacks in a timely fashion.
Really interesting interview. And… really scary. Very much looking forward to hearing what he has to say at Forecast. Thanks-