Plaintext: It Pays To Be Skeptical of Criminals

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Axonius. In this issue of Plaintext, we look at a promising trend in ransomware attacks: victims refusing to give in to extortion demands to pay ransom. We also consider the worrying possibility of NIST losing funding for its cybersecurity mission as part of the federal government's cost-cutting efforts. If you enjoy Plaintext, please share with friends and colleagues!

Criminals (Often) Lie. Don't Fall For It. Ransomware actors increasingly rely on extortion to pressure victim organizations into paying a ransom. They threaten to leak — and in some cases do leak —highly sensitive data, including patient records and images on public data leak sites. The success of using leak sites as an extortion tactic recently inspired an unknown threat actor to deliver ransom notes to victim organizations through postal mail under the guise of the Bian Lian ransomware group.

While posts on these leak sites coerce victims with a payment-clock countdown, time may be running out for these threat actors. Organizations are beginning to realize threat actors often lie about the type or amount of stolen data they actually have. As more victims take notice, ransomware groups may find it harder moving forward to use extortion to collect ransoms.

Though ransomware activity skyrocketed in 2024, Chainalysis found that payments declined last year. Many factors contributed to the decrease, but one promising possibility is that victims caught on to the groups' lies about what was stolen and refused to pay.

"Frankly, it is good to see that the cliche 'verify, then trust' mantra we have preached across our industry is becoming the new normal even for the everyday individual [who] may not be as well versed in cybersecurity." — John Hammond , Huntress

Recognizing the lies has "the added perk in preventing duped victims from paying false ransoms, and that's a win for the good guys," says John Hammond, principal security researcher at Huntress.

Ransomware groups are highly adaptable — often joining or creating new groups when one is disrupted — so they will move to new tactics when leak sites stop being effective. Disrupting the flow of payments to ransomware groups is key to stopping attacks. A payment ban making it illegal to pay ransom is one option. Another possibility is having cyber insurance companies stop reinforcing ransom payments. Blocking funds means less money to fuel future attacks.

Dark Reading in Plaintext is brought to you by Axonius

Adapt in Action: Join the Global Cybersecurity Event Series

Meet Axonius and industry leaders in a city near you. Learn new tech, hear success stories and gain actionable insights to strengthen cybersecurity.?Find your city and register today.

Please Keep Funding NIST. Eight industry groups (including the Cyber Threat Alliance, Cyberspace Solarium Commission 2.0, and Telecommunications Industry Association) wrote to the US Secretary of Commerce asking to protect and prioritize funding for the National Institute of Standards and Technology's (NIST) cybersecurity mission. The letter listed NIST's role in developing and maintaining the Cybersecurity Framework 2.0, Privacy Framework, Risk Management Framework, and the NICE Workforce Framework for Cybersecurity. "Without sustained funding, the agency risks losing its top talent, which put its ability to provide essential cybersecurity guidance, research, and standards at risk," they wrote.

"With escalating cybersecurity activity — particularly from the People’s Republic of China (PRC), which continues to actively target U.S. critical infrastructure — it is imperative that we safeguard our nation’s ability to counter these advanced persistent threats. In addition, we must push back against burdensome international regulatory approaches to cybersecurity, which hamper innovation and undermine U.S. competitiveness. NIST’s work is critical to meeting both of these objectives," they wrote in the letter.

What We Are Reading

• [Axonius] How to Build Cybersecurity Metrics from the Ground Up
• Steven Durbin ( Information Security Forum ) warns against cuts to CISA.
• [DR Global] Targeted by ransomware, Middle East banks shore up security
• [The Edge] WEF's Global Cybersecurity Outlook describes a 'Cocktail of Risk' facing CISOs
• [DR Technology] Intel maps vPro Chips' Security Features to MITRE's ATT&CK framework

What We Heard On-Air

Tune in to our on-demand webinar Threat Hunting: Tools and Techniques to Stay a Step Ahead of Cybercriminals.

"Logs are cheaper than lawyers." —Brittany Deaton, Solutions Engineer, Sophos.

From Our Library

Check out some of the latest reports from our Dark Reading Library!

[Axonius] The State of Cyber Resilience

Dark Reading Reports: What Issues and Challenges Cybersecurity Pros Care About

Tech Insight: Building Blocks for Next-Gen Security Operations

Tech Insight: Digging Out of Your Organization's Technical Debt

Dark Reading Reports: Understanding Social Engineering Attacks, What to Do About Them

On That Note

The below chart from the ISC2 Cybersecurity Workforce Study looking at job satisfaction levels by how people work (in-office, hybrid, remote, or flexible) is an interesting one. People appear to be satisfied with wherever they are working, although a larger percentage do seem to prefer being fully remote.

ISC2 breaks the numbers down further: Only 20% of women (and 21% of men) in the survey were fully remote workers, but they had the highest job satisfaction of any other group. And while 23% of women and 22% of men in the study were required to be in-office full-time, in this group, women expressed higher job satisfaction than the men.

Dark Reading in Plaintext is brought to you by Axonius