[Intro Music]
[00:00:00 Andrew Rose]
Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.
Welcome and I am excited about today's podcast. My name is Andrew Rose. I am your co-host, along with Mike Urbanik from R.K. Tongue. And today we have a special session that I am just over the moon to discuss. Before I go there, Mike, you want to give yourself a quick introduction and let us know who R.K. Tongue is and what you guys do.
[00:00:46 Mike Urbanik]
Yeah. Thank you, Andrew. R.K. Tongue is a independent, privately owned insurance broker, operating for over 100 years based out of Maryland. I'm an insurance agent, and we handle predominantly white-collar service industries, but capable of taking on many other risks as well. And happy to be here talking about cyber liability insurance, as always.
Every day we talk about this, the risk factor just keeps going up and up and we see more businesses suffering through these types of attacks.
And insurance is certainly a very important component when it comes to protecting your business from these types of attacks. So happy to be here talking about it.
[00:01:25 Andrew Rose]
And I do want to stress that point as well as it's not just the insurance that you have that will hopefully at least make you whole or partially whole after an attack, it's the risk management that goes into that's assessing how vulnerable are you and how prepared are you to recover after an incident occurs?
So, don't think of risk management, just someone come in there to sign a document and you stroke a check. There's a lot more holistic questions, diligence that goes into a process like this. And I know business owners often view this as a negative or stressful time, but it really should be more of a positive assessment of your entire profile of your organization.
And Mike, you want to add a little bit to that as well, because again, I think folks sometimes will underestimate how crucial this process is.
[00:02:05 Mike Urbanik]
100%. I mean, insurance is a part of the puzzle. And there's two other big components that I see. One is the end user. That is the business. They have to own their cyber risk.
They need to get their hands around it and take all steps and measures possible to make sure their employees and themselves are using all the right tools, procedures, protecting themselves from a user component, and then there's partnering with a company like DTC, having someone come in and set up the firewalls, the multifactor authentication, the cloud services, the sonic walls, everything you need to armor yourself to go out and do business on the internet, which you have to do these days.
You can't avoid that. And then lastly, it is the insurance component. Should those other two mechanisms fail, having the wherewithal for another company to come in and indemnify you, build you back up so you can go back out there and do it all again. So that's how we see it. And talking about Henry Schein today, I think we'll learn why it's important.
[00:03:10 Andrew Rose]
Oh, indeed. And for those loyal listeners out there who are tuning in to our podcast, Henry Schein is a big purveyor of all sorts of health care supplies. But not only health care supplies, they are very centric to the dental market, which is why they're so germane to our conversation today. And they were a victim of a cyberattack late last year, Q3- yeah Q3 last year.
Mike, can you give us a little bit background and color on Henry Schein and maybe what led up to this attack?
[00:03:41 Mike Urbanik]
Sure. So, we know some information. We don't know everything. And that's kind of typical when we have a large scale cyberattack on a business like this, they're willing to share some information, but they don't necessarily give us all the details.
Henry Schein is a large medical supply distributor, predominantly working in the dental space, publicly traded over $1 billion company, and they suffered from a cyberattack in October of 2023. So that's who we have, a very large I think they had maybe over 30,000 employees, if I remember correctly, a very large nationwide medical supply distributor working in the dental space.
And yeah, a big player. Many of my dental offices use Henry Schein. I see them at all the events I go to. They are a big player in the dental space.
[00:04:34 Andrew Rose]
So, imagine their surprise on October 15th when their sales techs try to log in and fulfill orders for their clients, and they were unable to access their equipment.
That must be just... I can't, you know, trying to put myself in their shoes. First, you think maybe it's a server issue or there's a problem with I.T. but then when it begins to cascade, it dawns upon not only the folks working there, but the entire industry, what is going on. And, Mike, I know you've seen clients that have been the victim of these attacks.
It's not just rational business as usual, "Here's the protocols that we follow." This is a very emotional and scary time. And again, I'm sure that you've had accounts or some of your clients on this as well.
[00:05:16 Mike Urbanik]
Absolutely. It's a lot of unknown because you don't necessarily see the problem. You think maybe, okay, I show up to my office one day and there's a fire.
You can in your mind quantify, okay, the building burned down. It was damaged. Yes. It's horrific and going to impact your business, but you have a visual conception of what's going on. When cyber-attacks happen, you really don't necessarily have that capability right away. It takes time to put that image together. Did they take payment information? Did they take client information?
How much of your internal documents did they copy? What are they going to do with that? There is a lot that can be done. And it certainly- your mind doesn't understand what has happened. So, I think you have a pretty big fear factor when clients, at least from what I've seen, go through these type of digital attacks.
[00:06:08 Andrew Rose]
And when I pulled up the Henry Schein 10-K report from late February, to review what they have informed the SEC about this attack.
There was a piece in there that struck me as a little bit strange, and I don't understand how to interpret this, but I'll read it out loud. “With respect to the October 23rd cybersecurity incident, we have a $60 million insurance policy following a 5 million retention”. What does that mean? And is that adequate for a company that's $1 billion in revenue?
[00:06:39 Mike Urbanik]
Yeah, that's a great question. So, when they're talking about their cyber liability policy, and I noticed that as well. They said that they have a $60 million after tax claim limit is what they say. And it doesn't really specify what is first party, third party. We'll talk about that a little later on. But $60 million is certainly quite a bit of money to come in and indemnify you if it's first party.
So, replace computers, pay for technicians to work on these systems. Anything you need to do to be made whole. There could be some business interruption or business loss coverage in there. Without seeing their policy, I don't know exactly what will be done. And then the retention. Retention is another term for deductible. So, this policy didn't take place until this client paid out $5 million of their own money or paid a $5 million deductible.
So, it doesn't surprise me that organizations this large have policies structured like that, because the potential for damages are huge. And to bring in a support team to attempt to remediate an attack this large or this damaging, it's a significant expense and a significant project that will probably take months or years to resolve, and it can keep rearing its head. So, there's no necessarily definitive timeline either.
Like I go back to that building fire, you clean the site up, you build a new building. Insurance company knows. All right. This is all regarding that one incident, now we walk away. The cyber-attacks keep reoccurring. Are they from the first one? Did we not clean it up enough? There's a lot of question marks that can make these types of claims very challenging.
So that's just talking about the insurance policy. But Andrew let's talk about, I guess when did this happen? Who attacked them? What do we know? Because there are a lot of unknowns. But there are some knowns. Is that right?
[00:08:32 Andrew Rose]
Indeed. Do you want to go through that? Would you prefer I do that?
[00:08:35 Mike Urbanik]
I'll let you do the honors.
[00:08:36 Andrew Rose]
Sure. Well, October 15th was kind of the inception of this attack, and that's when they realized that their machines have been compromised. They don't go through in their 10-K exactly what responses they took. But you can read between the lines a little bit and discern what may have occurred. So, after the initial attack happened, that's when this some insurance information was released.
What we assume is that they contacted law enforcement and did not pay the ransom. There is no record of a Bitcoin ledger for any ransom associated with this attack. And we kind of can see that is the case because on November 8th, they were hit again with another attack from the same actor and then again on November 22nd.
So, what happens? Or at least from the chatter that we saw in some of the chat logs that were released, Henry Schein was, I guess, delaying or trying to slow down negotiations so they could restore their systems without paying the ransom. And that upset the ransomware gang. And so, they continued to escalate their attacks on the Henry Schein systems.
The gang that attacked them is a gang called ALPHV or BlackCat, and that is their current name. You might remember them as Black Matter, and they were the same group that attacked the Colonial Pipeline a few years ago. Critical infrastructure, and we'll get into a little bit later. But it appears that they have disassembled and reassemble, perhaps as a new gang called Ransom hub.
And that was as of today that I learned that information. But all these things, we'll go into a little bit more detail about who they are, what their motivations are, and what their modes of attack are.
[00:10:19 Mike Urbanik]
That's absolutely right. So we believe we know who the culprit was, that ALPHV/BlackCat. And these organizations, they do change. They do evolve.
They change their names. So who they are, who the members are, or how continuous their operation is, is always a moving target. But they operate out of Russia is what we know about them. They're gang affiliated. They are a ransomware as a service provider, meaning they will provide ransomware to other criminals to go and commit attacks. But they will also commit attacks themselves roughly from what I could tell, learning about them as early as 2021.
Operating under this name, they've carried out looking at what data we can attribute to them over 200 ransomware attacks. And it said that they're responsible for probably anywhere to 10% of all ransomware attacks in 2022, from what I saw. But again, these are very hard numbers to pin down. No official sources tracking these. This is what we can collaborate to get their data wise.
But we have a very large, established criminal organization who targets businesses predominantly with ransomware. And in a country that it's hard to reprimand them or go after them. So I'm certainly no international studies master on this, but how do you combat an organization like that? Who has more or less carte blanche to go ahead and commit these attacks whenever they want, targeting businesses all throughout the world and here in the US?
So that's what we know about who the culprit was. Andrew, would you like to add anything about that?
[00:12:01 Andrew Rose]
Of course, a couple of things to note, and this goes back to attribution where they might be housed. They do not attack any organizations or companies that exist in the Russian Empire. So that will tell us there probably have got some sort of explicit support from the Russian government.
I imagine if they're a gang, an organized crime gang, there's no better place on this planet to operate than in Russia. You give a little bit of vague back to the house, and then you can operate with impunity there, and you're free from any kind of extradition policies or things that may occur as well. A couple of things to keep in mind about this gang that makes them unique.
One is that the malware they deployed, they wrote themselves in a computer program called RUST, R-U-S-T. Which, I'm not a computer programmer, but it seems to be an interesting language. That, and again, I heard that President Biden was very excited about and endorsed as well. So it's almost a finger in the eye for them to utilize this software program in order to fulfill their means.
And we've covered this in some other podcasts, but the way these ransomware gangs work is it's kind of like a pyramid. And at the top of the pyramid would be BlackCat. They're the admins, the operators. They have customers support. They've got all kinds of banking and transaction facilitation processes. At the bottom and base of the pyramid are all the wannabe script kiddies.
They call them. Those are those entry level gangs who might have a few tools. They might have credentials or access into a company. They get into these organizations and they sell that access upstream to someone like BlackCat or ALPHV, who then go and deploy their customer service. They get the ransom paid in exchange for that, they tend to give up to 80% of that ransom back down to the bottom of the pyramid to these script kids.
That said, going back to BlackCat and some of the fun things that happened there, they exist on the dark web. The dark web is a place where most of us never go. Most of us don't even know how to get to the dark web, but they then exist there. In addition to. And you may have heard the term Silk Road back in the day and exist in addition to selling drugs, they sell access to personally identifiable information keys to get into different places and what have you.
But they also have their websites where they say, we're open for business. So they say, hey, script kiddies, if you get access to one of these big companies, come to us and we will negotiate with you and enter you in there. The FBI about the time and I haven't got the precise dates on this, but I'm assuming it was just prior to the Henry Sheen attack or somewhere around that time the FBI took down BlackCat’s dark web website, which is, from what I understand, a very difficult thing to do.
BlackCat was not happy with that, and they put it right back up again. And the FBI took it down again. And this went back and forth and to the point in time when BlackCat was able to at least get their dark web website back up, and what they said was, the gloves are off. They said up until this time we had made a promise not to attack health care or critical infrastructure or nuclear power plants.
Because the FBI's been playing this game with us, our gloves are off, all bets are off. We're going after health care. And it was about that exact time that the Henry Schein attack occurred. And the one though unfortunately or fortunately, that's in the headlines these days is United Health Care Change Healthcare attack, which was done by the exact same gang, the BlackCat gang.
And in this one, the reason we have a little bit more information, the affiliate was a guy or somebody that goes by the name of Notchy, N-O-T-C-H-Y and Notchy was supposed to get paid his portion of getting them into the United Health Care, but the BlackCat organization put up a phony website that looked like they they've been seized by the FBI, absconded with the money, and didn't pay Notchy his finder's fee.
So he was upset and posted on a Russian ransomware chat group that they had taken his money and they owed him $20 million. I assume it's 20 million because he's said 20 KK, and when you say 20 K, you think 20,000, but 20 KK could also mean 20 million. So, the $22 million that change health care, even though they haven’t confirmed they paid it, there was a Bitcoin ledger that identified them as paying it to BlackCat.
And then today's headline, just to take the story one step further, there is a secondary ransom now on UnitedHealthCare from a group called Ransom Hub that has, I think they said three gigabytes of compressed data or four terabytes uncompressed data of all the personally identifiable information.
But they're gonna start with military personnel when they start releasing it. So, they really have put the screws to that. They're speculation. Neither one is a good outcome. There's speculation that Notchy has somehow joined a new ransom gang called Ransom Hub, and wants to get his 20 million or whatever number that is. BlackCats doing a dual ransom and pretending to be someone else.
So, it's a shady world out there, my friend, in what's going on. And again, you gotta remember this BlackCat gang does have the support, protection of the Russian government so they can operate with impunity. And they probably have access to some of the best programmers or weaponry that the Russian Cyber Brigades have available to them, as well.
[00:17: 44 Mike Urbanik]
I think you gave us a lot there, and I think if we have another writers strike in Hollywood, all they need to do is go look at stories like this to come up with some real quality content, because we think these guys are just a very boring organization. But no, there's a lot of dramatic details that happened on their end.
So, we know it's ALPHV, we know they had they targeted Henry Schein. We have the approximate day where had Henry Schein discovered this. This was October 14th. They discovered the attack. They took their systems offline. But what we don't know is how exactly they infiltrated this system. If Henry Schein and the FBI and the powers that be know this, they haven't released it.
I've looked 20 articles or so covering this attack, trying to get some insight. Did this start as a phishing email? Did they put ransomware on something? How did they get in? It hasn't been disclosed, which is something we've talked about the means in which these organizations operate. I was curious to see how they could get through the firewalls and the MFA and all the systems an organization like this surely had.
I wanted to learn something, but unfortunately, we don't have that. So, we know October 14th is when they discovered it. Their immediate response was just to take computer systems offline. They needed to disclose this attack that is part of the SEC obligations. To be a publicly traded company you have to comply with.
That's where we're getting a lot of this data, you know. So, on October 13th, the day before the attack, the stock was trading at $73.35. You follow this to November 2nd, which is, you know, roughly 15 days later, following the public announcement, the stock is lost about 10%, 15% of its value, trading at $61.89. So huge impact just by announcing, hey, we've had a data breach.
And what we do know from that first disclosure of the incident was that ALPHV said they encrypted the company's systems and stole about 35TB of sensitive data. So that news alone sent this stock plummeting. They said in their attack, they said they caused $150 million in losses. And we're going to threaten to release more data. Looking at the Henry Schein earnings report, I believe they expected to impact their business.
And they said they had a $50 million loss. So, whether it's a 150, 500 million, sorry, 500 million was what they said in their report. So 150 million by ALPHV, Henry Schein says it was 500 million from a couple Henry Schein reps that I know from boots on the ground. They said they had no computer systems for roughly a month, sending in orders, paper and pen.
So that's how devastating this type of attack could be to a business. Complete infrastructure loss and shut down. You have to go paper and pen to complete client orders. Clients might take business elsewhere. You're not bringing money in. You're potentially losing people. There's huge inefficiencies in business interruption and major impacts.
Where in their report they're saying $500 million were lost and they're attributing that from what I could tell it to this attack.
Andrew, what does that sound right?
[00:21:00 Andrew Rose]
It does. And, you know, again, I don't think we have the full picture of the financial impact of this attack really until the end of 2024 because of all the follow along impacts. And that doesn't include the lawsuits that are now pending against Henry Schein because of this, again, we talk about the impact to Henry Schein.
I'm sitting here thinking about all the dental offices that are waiting for these supplies so they can do their jobs. And what does that financial impact then on the downstream effect? Going back to how Henry Schein was access, we can surmise based on how BlackCat operates, said it was most likely an affiliate that brought them in there, and how that affiliate got in could be a wide variety of ways.
But one of the things that we need to be very cognizant of going forward is they are starting to use more social engineering for their attacks. And if we think about the MGM Caesars attack and how they use social engineering to get in there, it was an affiliate called Scattered Spider. And these are teenagers, young adults from the US and the UK who have not only a grasp of the English language, but they also understand the proclivities of human beings.
And what they did was they went on LinkedIn and identified some people within the organization who they wanted to steal the credentials from. Then they went and identified the MSP or managed service provider, the IT company that MGM or Caesars used, and they pretended to be this person with a lost password, and they were able to within 15 minutes, get the credentials they needed to log into the system, then to basically take the entire casino offline, including, some slot machines, elevators, room keys and everything that went with it.
And part of the finger on the eye from this one is I can't remember it was Caesars or MGM is the host for Defcon and the BlackCat hacking conferences. So I think there was a dual message sent there in terms of not only the losses organizations, but going back to how they get in. If we're not being cognizant of the social engineered attacks on our mid-level low level of employees as organizations, we really need be paying attention to that.
[00:23:03 Mike Urbanik]
Absolutely. All they need is one chink in the armor, a way to get in, and they can do a lot of damage. A lot of times we worry about just making sure the front is locked, but we don't have locks on the interior doors or our systems, our house or our computer network. So once they get in, they can move around a lot.
Talking about going back to Henry Schein and the impact it had on the business, I noticed there was a report that said starting in December, they were going to offer discounts on their products 10 to 20% as a means to help keep clients happy, keep sales personnel competitive because they knew this impacted their business, because now their clients could get their product.
That's what what this meant. They couldn't take orders. They can process anything. It shut the entire business operation down. So it was devastating. And to pick up on something you said there is a class action lawsuit pending. It is Depperschmidt versus Henry Schein and this was filed January 25th, 2024. And this is basically a class action lawsuit going after Henry Schein for the damages reportedly compromised of the private data of approximately 29,000 individuals.
So, this is fuel to the fire. If you're Henry Schein, you've had this attack. It's caused a ton of internal strife, losses, maybe to the tune of $500 million or more. And then on top of that, you have a class action lawsuit brought against you because you were the one holding the personal identifiable information of 29,000 individuals, which is now out there in the ecosystem.
And, you know, that's damages to other people, that's third party liability. So this thing just continues to go on. So this is, I think, probably maybe worst case scenario, perfect storm type situation of what these attacks can do. I'm sure we have business owners out there listening who maybe only do $50,000 a year in revenue or more, and they say this type of stuff cannot happen to me.
It certainly can. This is just the flagship one we can take a look at and learn a lot. But there are criminals doing this type of attack at all levels of the business enterprise, because there is money in it for them at all levels.
[00:25:21 Andrew Rose]
Absolutely. I mean, there was no financial incentive. Why would you do this? The other piece to going back to the impact in the organizations, you start thinking about their reputational damage. Now there's a trust issue there amongst their buyers.
And if we look at the ransomware groups, there's a trust issue there too. And that's one of the things that the FBI and international law enforcement wants to do is introduce friction into the relationship between these ransom gangs and their affiliates. An example of this, is an organization called Lockbit which may have been probably the biggest ransomware group, and they were recently taken offline by a joint FBI and international law enforcement action.
And, you know, it's a whack a mole. You take them offline. They reconstitute as something else the CEO or leader of Lockbit- I don't know if they have official titles or not. After they were taken down, released a video saying how great his life was, that he's made over $100 million, that he doesn't have to do this.
He does it for fun. Basically, the message, though, is from a law enforcement standpoint was to reassure the affiliates that, hey, the FBI's really not in here. The law enforcement that's really not into my servers. And here's all the ways that we've taken to mitigate the FBI getting into our servers and our communications channels and identifying who we are.
The one thing, though, that I think is most telling from this story is that when law enforcement took Lockbit offline, they found the data still on their servers of people who paid the ransoms. So that tells us right there that a business owner who thinks that they're paying a ransom to unencrypted is only half the issue. Your data is still held hostage, and you can have a turnaround, just like we're having with Ransom hub on Change Healthcare, you pay a $22 million ransom, and then two weeks later, you got to pay another ransom.
How long does that game continue? And the new mantra for cybersecurity is it's not when it's again. So if you're the victim of an attack, you better be prepared for the next one right now and make sure you've got some sort of written information security plan. And people know how to implement that plan because it's, you know, I hate to say it's a matter of time right now, but I can't think of anyone that's going to be immune from cyber-attacks going forward.
[00:27:39 Mike Urbanik]
No, I think you're absolutely right. There's certainly no silver bullet coming down the pipeline. From everything I see. It's again, back to that triangle of business ownership. You have to get your hands around this. You have to train your people. You have to not turn a blind eye and own the responsibility to protect yourself. Making sure when you leave every day, you're locking that front door, so to say.
Your people know what to do and they're not misusing the company assets and clicking on nefarious links, etc. they have a good cyber IQ about them. You have to do that. Then you have to be working with a managed service provider. Maybe your brother in law who builds a website isn't the right guy anymore because this has evolved beyond that.
So take this stuff seriously.
Yes, it's a big expense for businesses, but you can't afford not to, as we've seen with the Henry Shawn scenario. And lastly, seriously consider a cyber liability insurance policy if you have not already. Our information is linked. If you want to talk to us about it, more than happy to have a conversation.
[00:28:46 Andrew Rose]
I agree completely and it's same with your IT systems.
I strongly recommend if you are large enough to outsource your IT services to somebody that always has an eye on this thing. If you're a business owner and you're managing your own server, you might be at home on the holidays and that's the prime time for thieves to attack. You need to have 24/7 monitoring and make sure any anomalous thing is taken care of.
And then back to the social engineering. It sounds kind of simple, but what I've heard law enforcement say is use your spidey sense. If something seems a little bit off, stop. Pause. Think before you click. Cognitively, there could be something there. A lot of people respond emotionally. If it's a financial or relationship or academic type of outreach. Think a minute.
Am I the type of person that would normally receive this type of information? Why am I receiving this information? Who is this person? But this is the time to be very skeptical. And even though it's not as important to this one, another bit of information is if you receive information and you have an emotional response to it, you are being manipulated in some way.
So always if you're having some sort of whether it's a happy or sad or angry emotional thought to some information or receiving, stop and think cognitively, why am I having this reaction? That's typically how the information warfare works.
[00:30:03 Mike Urbanik]
Yeah. Andrew, as early as this morning I got a text from an unknown number saying there's a nice party tomorrow.
Are you coming? So, it just shows. These are the type of messages going out there. We should probably talk about that in a later podcast. The pig butchering system they use. Lovely name. We'll get that into another time. There's a lot to talk about there. But yeah, I mean, they just need one chink of an armor. And once they get in, these guys know what they're looking for.
So, I'm glad we could look at this Henry Schein scenario today. I'm certainly not happy for Henry Schein. My heart really goes out to the people involved there in the business. It has to be beyond frustrating to deal with something like this, but hopefully we can learn from it and better protect ourselves.
[00:30:46 Andrew Rose]
Indeed. And a couple of things, Henry Schein has learned from this, at least in terms of their 10-K and what they have instituted or had instituted.
Risk assessments look material cyber cybersecurity risk to their information systems. They have a security team whose principal responsibility is risk assessment and control standards, external service providers access to their systems to test their controls. They have a written cybersecurity incident response plan, including procedures for responding to these incidents.
And they have instituted a global information security policy because they are not just domestic alone, they're international countries, and all employees are now required to participate in mandatory annual cybersecurity anti-phishing courses along with compliance programs.
I couldn't tell from the 10-K if these were in place prior to the attack or these are Post, but regardless, I think these are all different types of things that organizations should embrace as well. For those of you who listen to my podcast in the past, having a written information security plan is the most important thing.
Who's going to talk to the police? Who's going to talk to the press? Who isn't? What are those messages going to be? What are your backups look like, etc., etc. and we'll get into that in much more detail in future podcasts as well. But this is the time to be cyber aware, and if you're not cyber savvy, you could be the victim of a devastating attack like Henry Schein was.
[00:32:10 Mike Urbanik]
Andrew, I completely agree with you and hope everyone out there was able to take some parting wisdom from this, and we'll go back and investigate their system and say, hey, am I doing the right thing? And if not, please contact someone and look to do so.
[00:32:26 Andrew Rose]
Well wonderful Mike. Well, listen, I appreciate you taking sometime today to discuss this cyber attack with me and ALPHV and BlackCat Group.
Or maybe they're called Ransom hub. Now we will find out what they reconstituted as. But as usual, this is a space with a lot of information, a lot to talk about. And I appreciate your insights, especially from the risk management point of view.
[00:32:45 Mike Urbanik]
Happy to be here. Thank you. Andrew.
[00:32:54 Outro Music]
We would love to hear from you. Please email us your questions or comments to ask us at DTCtoday.com. New episodes of Cyber Savvy are posted the second Tuesday of every month. For more detailed information, visit our website at DTCtoday.com. Be prepared. Be cyber savvy.
