Axios Codebook

Ransomware gangs are starting to go public with the sensitive information they steal to ensure victims pay up.

Driving the news: In the last week alone, ransomware criminals have threatened to leak private photos from breast cancer patients' files and published a video showcasing the data they could access while digging through Minneapolis Public Schools' systems.

• The video showed records related to student sexual violence allegations, letters to parents about student suspensions, and employee tax forms.

The big picture: It's rare for ransomware criminals to publicly detail the specific pieces of data they were able to steal during an attack.

• Usually, criminal gangs flaunt these findings to victims only in private negotiations, rarely discussing their precise findings in public.
• Now, as reports find that ransom payouts are dropping, criminals are trying a new tactic to publicly shame victims into paying: combing through the data sets and publicly detailing the most confidential bits.

Zoom out: Ransomware gangs have started moving away from traditional, encryption-based attacks to focus on data extortion.

• A ransomware attack typically involves hackers installing file-encrypting software onto an organization's networks and then demanding payment to unlock those files and systems.
• But over the years, more gangs have started also stealing data before encrypting a system and demanding a second payout to prevent a leak.

What they're saying: "It seems to be accelerating and happening more frequently," Chester Wisniewski, field chief technology officer of applied research at Sophos, told Axios.

• "There's only a handful of times I can remember the extortion becoming public and having specific things that were stolen that were used as part of the demand," he added.

Between the lines: Brett Callow, a threat analyst at Emsisoft, told Axios that with fewer victims paying ransomware gangs, cybercriminals are now "looking for ways to increase their conversion rates."

• Ransomware gangs — many of whom are based in Russia — have also become more aggressive since the war in Ukraine began, Wisniewski added.

State of play: Gangs have started feeling a squeeze and pressure to try out new tactics in the last year.

• International law enforcement operations have led to more arrests and web infrastructure seizures, and the U.S. government is eyeing bringing intelligence and military powers into the fight.

Yes, but: The tactic of publicly taunting ransomware victims isn't completely new.

• In 2020, now-defunct ransomware gang REvil stole files from a New York-based celebrity law firm and publicly threatened to leak hundreds of gigabytes of files, including contracts, nondisclosure agreements and more if a $42 million payout wasn't made.
• Kurtis Minder, CEO of ransomware negotiation company GroupSense, told Axios he's also seen bad actors take their threats to Twitter and call employees of a victim organization to put more social pressure on executives to pay.

The intrigue: Increasing public scrutiny on victim organizations doesn't guarantee that gangs will get a payout.

• For some organizations, threatening them publicly could just embolden their decision to not pay the bad actors, Minder said.
• But Minder said he's also been in situations where operators are extorting so many victims at once that they seemingly forget to leak the data once the deadline for a payout passes.
• "You just get lost in the shuffle because you're one of 100 victims they're fielding right now," Minder said.

Major cybersecurity companies and startups appear to have contained their risk from the sudden collapse of Silicon Valley Bank over the weekend.

Driving the news: Several cybersecurity companies, including big names like CrowdStrike, relied on SVB for some of their financial needs before the bank's unexpected failure late last week — leaving leadership teams and investors in limbo until regulators stepped in Sunday night.

• CrowdStrike said in a statement Friday that 90% of the company's funds are "held in large global institutions."
• GroupSense CEO Minder told Axios his company was able to access its SVB funds on Monday and moved them to a larger banking institution.

What they're saying: "If the government hadn't come forward and backstopped like they did, it would have made our life pretty difficult," Minder told Axios.

The big picture: While it's unclear how many cyber companies were SVB customers, some notable names have been linked to the firm, according to BankInfoSecurity.

• Cloud-based data analytics firm Sumo Logic had a credit line open with SVB and borrowed $24.3 million during the fiscal year that ended on Jan. 31, 2021.
• Boston-based Rapid7 was also a longtime customer of the bank: In March 2020, Rapid7 CEO Corey Thomas was quoted in an SVB announcement celebrating the bank's new downtown Boston office.
• Neither company responded to Axios' requests for comment.

Between the lines: Minder is now worried about the long-term impact SVB's collapse will have on available venture capital funding as limited partners potentially pull back on their investments.

• "They're already pulling back for a number of reasons," he said. "This is going to further that."

What's next: Cybersecurity experts warn that scammers are likely to start taking advantage of the confusion over SVB's collapse in phishing and disinformation campaigns.

A recent lawsuit in Texas alleging that three women helped a friend access abortion medication is renewing calls for tech giants to make end-to-end encryption the default on their messaging services.

Driving the news: A Texas man recently filed a civil lawsuit against three women he alleges helped his now ex-wife obtain abortion-inducing medication to terminate her pregnancy, according to the Texas Tribune.

• His complaint is based on text messages among the women — making a long-held fear that people's digital communications will be weaponized after the overturn of Roe v. Wade a reality.

The lawsuit has prompted Fight for the Future, an internet rights advocacy group, to renew calls for Meta, Twitter, Google, Apple and other companies running messaging platforms to make end-to-end encryption the default on their services.

• If a message is end-to-end encrypted, it's impossible for tech companies to see what their users are saying — and thus, more difficult for them to comply with data requests from law enforcement during investigations.
• Leila Nashashibi, a campaigner for Fight for the Future, called end-to-end encryption a "no-brainer" in a statement.

Catch up quick: Even before the Supreme Court officially overturned Roe v. Wade, abortion and privacy advocates were warning people to lock down their digital communications and turn to encrypted services like Tor private browsers, Signal and Proton Mail.

• Law enforcement authorities also used Facebook messages last summer in criminal charges against a Nebraska teen who allegedly had an abortion, according to Forbes.

The big picture: Many of the tech giants have already started implementing end-to-end encryption on their messaging services.

• Meta recently expanded tests for end-to-end encryption on Messenger.
• Apple expanded end-to-end encryption to iCloud backups in December. iMessages sent between two iPhones are also already end-to-end encrypted by default.

Yes, but: The Texas case's chances of advancing remain murky. The plaintiff alleges his ex-wife had a self-managed abortion in July 2022, but Texas' post-Roe abortion law didn't go into effect until August.

• The complaint is heavily based on screenshots of text messages among the four women; however, it's unclear how these screenshots were obtained or if encryption could've helped prevent it.

@ D.C.

☁️ The White House is working on a comprehensive plan to address cloud security. (Politico)

📣 The Cybersecurity and Infrastructure Security Agency launched a new pilot program to proactively warn critical infrastructure operators about vulnerabilities ransomware gangs are targeting. (BleepingComputer)

💻 The IRS plans to implement a government-run identity-verification system ahead of tax season, following last year's outcry over the use of a facial recognition vendor. (FCW)

@ Industry

🧠 Mental health care startup Cerebral says it shared more than 3.1 million patients' personal health information with advertisers and social media giants. (TechCrunch)

🪦 A facial recognition company has started training its tools on photos of those who have already died. (Wired)

💰 Cloud security vendor Mitiga raised a $38 million Series A round, led by ClearSky Security. (TechCrunch)

@ Hackers and hacks

☎️ Sensitive data belonging to 9 million AT&T customers was exposed in a recent data breach at a third-party vendor. (The Record)

🐍 The new Medusa ransomware gang is gaining momentum, and researchers have yet to figure out how to break its encryption. (BleepingComputer)

If anyone knows why pro wrestler John Cena has moved on from following random journalists on Twitter to following random cybersecurity professionals, uh, let me know.

• Until then, let's enjoy the new parody account that's emerged from the chaos.