LockBit suspect cuffed after ransomware forces emergency services to use pen and paper
Plus: CISA has a flowchart for patching, privacy campaign goes after face search engine
In Brief A suspected member of the notorious international LockBit ransomware mob has been arrested – and could spend several years behind bars if convicted.
Canadian and Russian national Mikhail Vasiliev was nabbed on November 9 in Canada and is awaiting extradition to the United States to face charges he conspired with others to intentionally damage protected computers and to transmit ransom demands in connection with that damage, the US Department of Justice said. Allegations of efforts to spread ransomware and extort victims, basically.
"This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world," said Deputy Attorney General Lisa Monaco.
The LockBit crime ring has been around since 2019, and has hit high-profile targets in multiple nations. According to US prosecutors, this ransomware strain has been deployed against more than 1,000 entities, and members of the gang have extracted "tens of millions" of dollars in ransom payments.
Most recently, LockBit in August infected an IT supplier of the UK National Health Service, disrupting the NHS 111 medical emergency line. According to security researchers, the attackers gained access using Citrix server credentials. Staff were forced to use pen and paper when systems were taken down.
Vasiliev's suspected role in the criminal ring is unknown outside of the charges leveled against him by a federal court in Newark, New Jersey, and the DoJ didn't say which of LockBit's many victims have been linked to Vasiliev's alleged actions.
If convicted, Vasiliev, 33, of Bradford, Ontario, could face up to five years in prison and a fine of up to $250,000, or twice the monetary losses he caused, whichever is greater. If Vasiliev is linked to most of LockBit's $10 million-plus takings, it's likely to be a bit more than $250k.
Should you patch? Here's a handy flowchart from CISA
The US government's Cybersecurity and Infrastructure Security Agency (CISA) has developed a decision tree to help it decide when to patch, and clearly thinks the diagram is far too cool to keep to itself.
CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) system separates vulnerabilities into four categories: Track, which doesn't require action; Track*, which requires close monitoring and action within standard update timelines; Attend, meaning it needs to be patched sooner than standard update timelines; and Act, which require action as soon as possible.
From there, the SSVC tree makes a decision based on exploit status, technical impact, how easily an attacker could automate the attack, how directly the exploit would affect mission-critical systems, and whether the exploit would have an impact on public well-being. While there is pressure on IT teams to install fixes, no one wants to – for instance – bring down a production service by rushing a dodgy, untested patch for a vulnerability that is unlikely to ever be exploited in practice.
CISA has made a PDF guide for organizations that wish to learn more about the framework and follow it, as well as an SSVC calculator that can help organizations develop an appropriate decision-making tree when it comes to applying updates.
Alongside talk of its decision tree, CISA announced additional plans to grow a wider vulnerability management ecosystem that will include an automated, machine-understandable security advisory framework, and a push for organizations to join vulnerability exploit exchange systems.
UK privacy campaign goes after yet another facial-recognition search engine
Big Brother Watch, a UK-based privacy advocacy group, has filed a legal complaint with the nation's Information Commissioner alleging that PimEyes, a facial recognition image search engine, is unlawfully processing data on millions of British citizens.
Much like Clearview AI before it, PimEyes scrapes public websites for photos, which it stores in a massive database. Anyone can upload a photo, Big Brother Watch said, "which is then processed using facial recognition technology to find potential matches from an index of billions of photos from the internet."
Big Brother Watch said that PimEyes places no limits in the types of images that may be used for searches, and when it returns a match it also returns the URL where the photo was found, "allowing the user access to highly revealing contextual information."
Although PimEyes says that it's not intended to be used as a surveillance tool, Big Brother Watch said that it has no safeguards in place to prevent such use.
Unlike Clearview AI, which is aimed more at businesses and law enforcement, PimEyes is open to the public, "and can be used by anyone on the internet," Big Brother Watch said. Given the UK authorities slapped Clearview AI with a fine, as well as telling it to stop gathering and delete data on UK citizens, a public-facing lookalike like PimEyes may not fare well. ®