WorkRamp raises $17M to ramp up its enterprise learning platform

Remote learning and training have become a large priority this year for organizations looking to keep employees engaged and up to date on work practices at a time when many of them are not working in an office — and, in the case of those who have joined in 2020, may have never met any of their work colleagues in person, ever. Today one of the startups that’s built a new, more user-friendly approach to creating and provisioning those learning materials is announcing some funding as it experiences a boost in its growth.

WorkRamp, which has built a platform that helps organizations build their own training materials, and then distribute them both to their workforce and to partners, has raised $17 million, a Series B round of funding that’s being led by OMERS Ventures, with Bow Capital also participating.

Its big pitch is that it has built the tools to make it easy for companies to build their own training and learning materials, incorporating tests, videos, slide shows and more, and by making it easier for companies to build these themselves, the materials themselves become more engaging and less stiff.

“We’re disrupting the legacy LMS [learning management system] providers, the Cornerstones of the world, with our bite-size training platform,” said CEO and founder Ted Blosser in an interview. “We want to do what Peloton did for the exercise market, but with corporate training. We are aiming for a consumer-grade experience.”

The company, originally incubated in Y Combinator, has now raised $27 million.

The funding comes on the back of strong growth for WorkRamp . Blosser said that it now has around 250 customers, with 1 million courses collectively created on its platform. That list includes fast-growing tech companies like Zoom, Box, Reddit and Intercom, as well as Disney, GlobalData and PayPal. As it continues to expand, it will be interesting to see how and if it can also snag more legacy, late adopters who are not as focused on tech in their own DNA.

WorkRamp estimates that there is some $20 billion spent annually by organizations on corporate training. Unsurprisingly, that has meant the proliferation of a number of companies building tools to address that market.

Just Google WorkRamp and you’re likely to encounter a number of its competitors who have bought its name as a keyword to snag a little more attention. There are both big and small players in the space, including Leapsome, Capterra, Lessonly, LearnUpon (which itself recently raised a big round), SuccessFactors and TalentLMS.

The interesting thing about what WorkRamp has built is that it plays on the idea of the “creator,” which really has been a huge development in our digital world. YouTube may have kicked things off with the concept of “user-generated content.” but today we have TikTok, Snapchat, Facebook, Twitter and so many more platforms — not to mention smartphones themselves, with their easy facilities to shoot videos and photos of others, or of yourself, and then share with others — which have made the idea of building your own work, and looking at that of others, extremely accessible.

That has effectively laid the groundwork for a new way of conceiving of even more prosaic things, like corporate training. (Can there really be anything more comedically prosaic than that?) Other startups like Kahoot have also played on this idea, by making it easy for enterprises to build their own games to help train their staff.

This is what WorkRamp has aimed to tap into with its own take on the learning market, to help its customers eschew the idea of hiring outside production companies to make training materials, or expect WorkRamp to build those materials for them: Instead, the people who are going to use the training now have the control.

“I think it’s critical to be able to build your own customer education,” Blosser said. “That’s a big trend for clients that want both to rapidly onboard people but also reduce costs.”

The company’s platform includes user-friendly drag-and-drop functionality, which also lets people build slide shows, flip cards and questions that viewers can answer. The plan is to bring on more “Accenture” style consultants, Blosser said, for bigger customers who may not be as tech savvy to help them take better advantage of the tools. It also integrates with third-party packages like Salesforce.com, Workday and Zoom both to build out training as well as distribute it.

“Since 2000, we have seen three major technology shifts in the enterprise: the transition from on-premise to SaaS, the growth of mobile, and the most recent – sweeping digital transformation across almost every part of every business,” said Eugene Lee of OMERS Ventures, in a statement. “The pandemic has forced adoption of a digital-first approach towards customers and employees across virtually all industries. WorkRamp’s platform is foundational to empowering both of these important audiences today and in the future. We are bullish on the massive opportunity in front of the company and are excited to get involved.” Lee is joining the board with this round.

HealNow raises $1.3 million to bring online payments to pharmacies

As the health tech landscape rapidly evolves, another startup is making its presence known. HealNow has closed a $1.3 million round of funding from SoftBank Opportunity Fund and Alabama Futures Fund.

The company was founded by Halston Prox and Joshua Smith. Prox has worked in healthcare for more than a decade with major organizations such as Providence Health, Mount Sinai and Baylor Scott & White, mostly focused on digitizing health records and designing and implementing software for doctors, nurses, etc. Smith, CTO at the company, has been a developer since 2012.

The duo founded HealNow to become the central nervous system for order and delivery of prescriptions, according to Prox. Your average payments processing system isn’t necessarily applicable to pharmacies large and small because of the complexities of health insurance and the regulatory landscape.

Not only is it costly to facilitate online payments for pharmacies, but they also have their own pharmacy management systems and workflows that can be easily disrupted by moving to a new payments system.

HealNow has built a system that’s specifically tailored to pharmacies of any shape or size, from grocery stores to mom and pop pharmacies and everything in between. It’s a white label solution, meaning that any pharmacy can put their brand language on the product.

“We’re embedded in their current workflows and pharmacies don’t have to do anything manual, even if they’re using a pharmacy management system,” said Prox.

When a user looks to get a prescription from their pharmacy, they are sent a link that allows them to securely answer any questions that may be necessary for the pickup, enter insurance info, make a payment and schedule a curbside pickup or a delivery. The tech also integrates with third-party delivery services for pharmacies that offer deliveries.

This technology has been particularly important during the COVID-19 pandemic, giving smaller pharmacies the chance to compete with bigger chains who have digital solutions already set up that allow for curbside pick up. This is especially true now that Amazon has gotten into the space with the launch of Amazon Pharmacy.

HealNow is a SaaS company, charging a monthly subscription fee for use of the platform, as well as a service fee for prescriptions purchased on the platform. However, that service fee is a flat rate that never changes based on the cost of the prescription.

The space is crowded and growing more crowded, with competitors like NimbleRX and Capsule offering their own spin on simplifying and digitizing the pharmacy. One big difference for HealNow, says Prox, is that the startup has no intention of ever being a pharmacy, but rather serving pharmacies in a way that doesn’t disrupt their current workflow or system.

“We’re not a pharmacy, and we want to enable all these pharmacies to be online,” said Prox. “To do that we have to do that in an unbiased way by focusing on being a complete tech company.”

The funding is going primarily toward building out the sales and marketing arms of the company to continue fueling growth. HealNow has a foothold in the West, Southwest and Middle America, and is opening an office in Birmingham to sprint across the East Coast. Prox says the company is processing thousands of orders a day and tens of thousands of orders each month.

HealNow launched in 2018 after graduating from the Entrepreneurs Roundtable Accelerator .

Arthur.ai snags $15M Series A to grow machine learning monitoring tool

At a time when more companies are building machine learning models, Arthur.ai wants to help by ensuring the model accuracy doesn’t begin slipping over time, thereby losing its ability to precisely measure what it was supposed to. As demand for this type of tool has increased this year, in spite of the pandemic, the startup announced a $15 million Series A today.

The investment was led by Index Ventures with help from newcomers Acrew and Plexo Capital, along with previous investors Homebrew, AME Ventures and Work-Bench. The round comes almost exactly a year after its $3.3 million seed round.

As CEO and co-founder Adam Wenchel explains, data scientists build and test machine learning models in the lab under ideal conditions, but as these models are put into production, the performance can begin to deteriorate under real-world scrutiny. Arthur.ai is designed to root out when that happens.

Even as COVID has wreaked havoc throughout much of this year, the company has grown revenue 300% in the last six months smack dab in the middle of all that. “Over the course of 2020, we have begun to open up more and talk to [more] customers. And so we are starting to get some really nice initial customer traction, both in traditional enterprises as well as digital tech companies,” Wenchel told me. With 15 customers, the company is finding that the solution is resonating with companies.

It’s interesting to note that AWS announced a similar tool yesterday at re:Invent called SageMaker Clarify, but Wenchel sees this as more of a validation of what his startup has been trying to do, rather than an existential threat. “I think it helps create awareness, and because this is our 100% focus, our tools go well beyond what the major cloud providers provide,” he said.

Investor Mike Volpi from Index certainly sees the value proposition of this company. “One of the most critical aspects of the AI stack is in the area of performance monitoring and risk mitigation. Simply put, is the AI system behaving like it’s supposed to?” he wrote in a blog post announcing the funding.

When we spoke a year ago, the company had eight employees. Today it has 17 and it expects to double again by the end of next year. Wenchel says that as a company whose product looks for different types of bias, it’s especially important to have a diverse workforce. He says that starts with having a diverse investment team and board makeup, which he has been able to achieve, and goes from there.

“We’ve sponsored and work with groups that focus on both general sort of coding for different underrepresented groups as well as specifically AI, and that’s something that we’ll continue to do. And actually I think when we can get together for in-person events again, we will really go out there and support great organizations like AI for All and Black Girls Code,” he said. He believes that by working with these groups, it will give the startup a pipeline to underrepresented groups, which they can draw upon for hiring as the needs arise.

Wenchel says that when he can go back to the office, he wants to bring employees back, at least for part of the week for certain kinds of work that will benefit from being in the same space.

Microsoft brings new process mining features to Power Automate

Power Automate is Microsoft’s platform for streamlining repetitive workflows — you may remember it under its original name: Microsoft Flow. The market for these robotic process automation (RPA) tools is hot right now, so it’s no surprise that Microsoft, too, is doubling down on its platform. Only a few months ago, the team launched Power Automate Desktop, based on its acquisition of Softomotive, which helps users automate workflows in legacy desktop-based applications, for example. After a short time in preview, Power Automate Desktop is now generally available.

The real news today, though, is that the team is also launching a new tool, the Process Advisor, which is now in preview as part of the Power Automate platform. This new process mining tool provides users with a new collaborative environment where developers and business users can work together to create new automations.

The idea here is that business users are the ones who know exactly how a certain process works. With Process Advisor, they can now submit recordings of how they process a refund, for example, and then submit that to the developers, who are typically not experts in how these processes usually work.

What’s maybe just as important is that a system like this can identify bottlenecks in existing processes where automation can help speed up existing workflows.

Image Credits: Microsoft

“This goes back to one of the things that we always talk about for Power Platform, which, it’s a corny thing, but it’s that development is a team sport,” Charles Lamanna, Microsoft’s corporate VP for its Low Code Application Platform, told me. “That’s one of our big focuses: how to bring people to collaborate and work together who normally don’t. This is great because it actually brings together the business users who live the process each and every day with a specialist who can build the robot and do the automation.”

The way this works in the backend is that Power Automate’s tools capture exactly what the users do and click on. All this information is then uploaded to the cloud and — with just five or six recordings — Power Automate’s systems can map how the process works. For more complex workflows, or those that have a lot of branches for different edge cases, you likely want more recordings to build out these processes, though.

Image Credits: Microsoft

As Lamanna noted, building out these workflows and process maps can also help businesses better understand the ROI of these automations. “This kind of map is great to go build an automation on top of it, but it’s also great because it helps you capture the ROI of each automation you do because you’ll know for each step how long it took you,” Lamanna said. “We think that this concept of Process Advisor is probably going to be one of the most important engines of adoption for all these low-code/no-code technologies that are coming out. Basically, it can help guide you to where it’s worth spending the energy, where it’s worth training people, where it’s worth building an app, or using AI, or building a robot with our RPA like Power Automate.”

Lamanna likened this to the advent of digital advertising, which for the first time helped marketers quantify the ROI of advertising.

The new process mining capabilities in Power Automate are now available in preview.

Nutanix brings in former VMware exec as new CEO

Nutanix announced today that it was bringing in former VMware executive Rajiv Ramaswami as president and CEO. Ramaswami replaces co-founder Dheeraj Pandey, who announced his plans to retire in August.

The new CEO brings 30 years of industry experience to the position, including stints with Broadcom, Cisco, Nortel and IBM — in addition to his most recent gig at VMware as chief operating officer of Products and Cloud Services.

At his position at VMware, Ramaswami had the opportunity to see Nutanix up close as a key competitor, and he now has the opportunity to lead the company into its next phase. “I have long admired Nutanix as a formidable competitor, a pioneer in hyperconverged infrastructure solutions and a leader in cloud software,” he said in a statement. He hopes to build on his industry knowledge to continue growing the company.

Sohaib Abbasi, lead independent director of Nutanix, says that as a candidate, Ramaswami’s experience really stood out. “Rajiv distinguished himself among the CEO candidates with his rare combination of operational discipline, business acumen, technology vision and inclusive leadership skills,” he said in a statement.

Holger Mueller, an analyst at Constellation Research, says the hiring makes a lot of sense, as VMware is quickly becoming the company’s primary competitor. “Nutanix and VMware want to be the same in the future — the virtualization and workload portability Switzerland across cloud and on premise compute infrastructures,” he told me.

What’s more, it allows Nutanix to grab a talented executive. “So hiring Ramaswami brings both an expert for multi-cloud to the Nutanix helm, as well as weakening a key competitor from a talent perspective,” he said.

Nutanix was founded in 2009. It raised more than $600 million from firms like Khosla Ventures, Lightspeed Ventures, Sapphire Ventures, Fidelity and Wellington Management, according to Crunchbase data. The company went public in 2016. Investors seem pleased by the announcement, with the company stock price up 1.29% as of publication.

Patch Tuesday, Good Riddance 2020 Edition

Microsoft today issued its final batch of security updates for Windows PCs in 2020, ending the year with a relatively light patch load. Nine of the 58 security vulnerabilities addressed this month earned Microsoft’s most-dire “critical” label, meaning they can be abused by malware or miscreants to seize remote control over PCs without any help from users.

Mercifully, it does not appear that any of the flaws fixed this month are being actively exploited, nor have any them been detailed publicly prior to today.

The critical bits reside in updates for Microsoft Exchange Server, Sharepoint Server, and Windows 10 and Server 2016 systems. Additionally, Microsoft released an advisory on how to minimize the risk from a DNS spoofing weakness in Windows Server 2008 through 2019.

Some of the sub-critical “important” flaws addressed this month also probably deserve prompt patching in enterprise environments, including a trio of updates tackling security issues with Microsoft Office.

“Given the speed with which attackers often weaponize Microsoft Office vulnerabilities, these should be prioritized in patching,” said Allan Liska, senior security architect at Recorded Future. “The vulnerabilities, if exploited, would allow an attacker to execute arbitrary code on a victim’s machine. These vulnerabilities affect Microsoft Excel 2013 through 2019, Microsoft 365 32 and 64 bit versions, Microsoft Office 2019 32 and 64 bit versions, and Microsoft Excel for Mac 2019.”

We also learned this week that Redmond quietly addressed a scary “zero-click” vulnerability in its Microsoft Teams platform that would have let anyone execute code of their choosing just by sending the target a specially-crafted chat message to a Teams users. The bug was cross-platform, meaning it could also have been used to deliver malicious code to people using Teams on non-Windows devices.

Researcher Oskars Vegeris said in a proof-of-concept post to Github that he reported the flaw to Microsoft at the end of August, but that Microsoft didn’t assign the bug a Common Vulnerabilities and Exposure (CVE) rating because it has a policy of not doing so for bugs that can be fixed from Microsoft’s end without user interaction.

According to Vegeris, Microsoft addressed the Teams flaw at the end of October. But he said the bug they fixed was the first of five zero or one-click remote code execution flaws he has found and reported in Teams. Reached via LinkedIn, Vegeris declined to say whether Microsoft has yet addressed the remaining Teams issues.

Separately, Adobe issued security updates for its Prelude, Experience Manager and Lightroom software. There were no security updates for Adobe Flash Player, which is fitting considering Adobe is sunsetting the program at the end of the year. Microsoft is taking steps to remove Flash from its Windows browsers, and Google and Firefox already block Flash by default.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

SingleStore, formerly MemSQL, raises $80M to integrate and leverage companies’ disparate data silos

While the enterprise world likes to talk about “big data”, that term belies the real state of how data exists for many organizations: the truth of the matter is that it’s often very fragmented, living in different places and on different systems, making the concept of analysing and using it in a single, effective way a huge challenge.

Today, one of the big up-and-coming startups that has built a platform to get around that predicament is announcing a significant round of funding, a sign of the demand for its services and its success so far in executing on that.

SingleStore, which provides a SQL-based platform to help enterprises manage, parse and use data that lives in silos across multiple cloud and on-premise environments — a key piece of work needed to run applications in risk, fraud prevention, customer user experience, real-time reporting and real-time insights, fast dashboards, data warehouse augmentation, modernization for data warehouses and data architectures and faster insights — has picked up $80 million in funding, a Series E round that brings in new strategic investors alongside its existing list of backers.

The round is being led by Insight Partners, with new backers Dell Technologies Capital, Hercules Capital; and previous backers Accel, Anchorage, Glynn Capital, GV (formerly Google Ventures) and Rev IV also participating.

Alongside the investment, SingleStore is formally announcing a new partnership with analytics powerhouse SAS. I say “formally” because they two have been working together already and it’s resulted in “tremendous uptake,” CEO Raj Verma said in an interview over email.

Verma added that the round came out of inbound interest, not its own fundraising efforts, and as such, it brings the total amount of cash it has on hand to $140 million. The gives the startup money to play with not only to invest in hiring, R&D and business development, but potentially also M&A, given that the market right now seems to be in a period of consolidation.

Verma said the valuation is a “significant upround” compared to its Series D in 2018 but didn’t disclose the figure. PitchBook notes that at the time it was valued at $270 million post-money.

When I last spoke with the startup in May of this year — when it announced a debt facility of $50 million — it was not called SingleStore; it was MemSQL. The company rebranded at the end of October to the new name, but Verma said that the change was a long time in the planning.

“The name change is one of the first conversations I had when I got here,” he said about when he joined the company in 2019 (he’s been there for about 16 months). “The [former] name didn’t exactly flow off the tongue and we found that it no longer suited us, we found ourselves in a tiny shoebox of an offering, in saying our name is MemSQL we were telling our prospects to think of us as in-memory and SQL. SQL we didn’t have a problem with but we had outgrown in-memory years ago. That was really only 5% of our current revenues.”

He also mentioned the hang up many have with in-memory database implementations: they tend to be expensive. “So this implied high TCO, which couldn’t have been further from the truth,” he said. “Typically we are ⅕-⅛ the cost of what a competitive product would be to implement. We were doing ourselves a disservice with prospects and buyers.”

The company liked the name SingleStore because it is based a conceptual idea of its proprietary technology. “We wanted a name that could be a verb. Down the road we hope that when someone asks large enterprises what they do with their data, they will say that they ‘SingleStore It!’ That is the vision. The north star is that we can do all types of data without workload segmentation,” he said.

That effort is being done at a time when there is more competition than ever before in the space. Others also providing tools to manage and run analytics and other work on big data sets include Amazon, Microsoft, Snowflake, PostgreSQL, MySQL and more.

SingleStore is not disclosing any metrics on its growth at the moment but says it has thousands of enterprise customers. Some of the more recent names it’s disclosed include GE, IEX Cloud, Go Guardian, Palo Alto Networks, EOG Resources, SiriusXM + Pandora, with partners including Infosys, HCL and NextGen.

“As industry after industry reinvents itself using software, there will be accelerating market demand for predictive applications that can only be powered by fast, scalable, cloud-native database systems like SingleStore’s,” said Lonne Jaffe, managing director at Insight Partners, in a statement. “Insight Partners has spent the past 25 years helping transformational software companies rapidly scale-up, and we’re looking forward to working with Raj and his management team as they bring SingleStore’s highly differentiated technology to customers and partners across the world.”

“Across industries, SAS is running some of the most demanding and sophisticated machine learning workloads in the world to help organizations make the best decisions. SAS continues to innovate in AI and advanced analytics, and we partner with companies like SingleStore that share our curiosity about how data and analytics can help organizations reimagine their businesses and change the world,” said Oliver Schabenberger, COO and CTO at SAS, added. “Our engineering teams are integrating SingleStore’s scalable SQL-based database platform with the massively parallel analytics engine SAS Viya. We are excited to work with SingleStore to improve performance, reduce cost, and enable our customers to be at the forefront of analytics and decisioning.”

SAP latest enterprise software giant to offer low code workflow

Low code workflow has become all the rage among enterprise tech giants and SAP joined the group of companies offering simplified workflow creation today when it announced SAP Cloud Platform Workflow Management, but it didn’t stop there.

It also announced SAP Ruum, a new departmental workflow tool and SAP Intelligent Robotic Process Automation, its entry into the RPA space. The company made the announcements at SAP TechEd, its annual educational conference that has gone virtual this year due to the pandemic.

Let’s start with the Cloud Platform Workflow Management tool. It enables people with little or no coding skills to build operational workflows. It includes predefined workflows like employee onboarding and can be used in combination with Qualtrics, the company it bought for $8 billion 2018, to include experience data.

As SAP CTO Juergen Mueller told me, the company sees these types of activities in a much larger context. In the hiring example, that means it’s more than simply the act of being hired and getting started. “We like to think in end-to-end processes, and the one fitting into the employee onboarding would be recruit to retire. So it would start at talent acquisition,” he said.

Hiring and employee onboarding is the first part of the larger process, but there are other workflows that develop out of that throughout the employee’s time at the company. “Basically this is a collection of different workflow steps that are happening with some in parallel, some in sequence,” he said.

If there are experience questions involved like which benefits you want, you could add Qualtrics questionnaires to that part of the workflow. It’s designed to be very flexible. As with all of these kinds of tools, you can drag and drop components and do some basic configuration and you’re good to go. In reality, the more complex these become, the more expertise would be required, but this type of tool is designed with non-technical end users in mind as a starting point.

SAP Ruum is a simplified version of Cloud Platform Workflow Management designed for building departmental processes, and if there is an automation element involved where you want to let the machine take care of some mundane, repeatable tasks, then the RPA solution comes into play. The latter tends to be more complex and require more IT involvement, but it enables companies to build automation into workflows where the machine pushes data along through the workflow and does at least some of the work for you.

The company joins Salesforce, which announced Einstein Workflow Automation last week at Dreamforce and Google Workflows, the tool the company introduced in August. There are many others out there from companies large and small including Okta, Slack and Airtable, which all have no-code workflow tools built in.

The SAP TechEd conference has been going on for 24 years, and usually takes place in three separate venues — Barcelona, Las Vegas and Bangalore —  throughout the year. This year, the company is running a single-combined virtual conference for free to all comers. It runs for 48 hours straight starting today with a worldwide audience of over 60,000 sign-ups as of yesterday.

AWS announces SageMaker Clarify to help reduce bias in machine learning models

As companies rely increasingly on machine learning models to run their businesses, it’s imperative to include anti-bias measures to ensure these models are not making false or misleading assumptions. Today at AWS re:Invent, AWS introduced Amazon SageMaker Clarify to help reduce bias in machine learning models.

“We are launching Amazon SageMaker Clarify. And what that does is it allows you to have insight into your data and models throughout your machine learning lifecycle,” Bratin Saha, Amazon VP and general manager of machine learning told TechCrunch.

He says that it is designed to analyze the data for bias before you start data prep, so you can find these kinds of problems before you even start building your model.

“Once I have my training data set, I can [look at things like if I have] an equal number of various classes, like do I have equal numbers of males and females or do I have equal numbers of other kinds of classes, and we have a set of several metrics that you can use for the statistical analysis so you get real insight into easier data set balance,” Saha explained.

After you build your model, you can run SageMaker Clarify again to look for similar factors that might have crept into your model as you built it. “So you start off by doing statistical bias analysis on your data, and then post training you can again do analysis on the model,” he said.

There are multiple types of bias that can enter a model due to the background of the data scientists building the model, the nature of the data and how they data scientists interpret that data through the model they built. While this can be problematic in general it can also lead to racial stereotypes being extended to algorithms. As an example, facial recognition systems have proven quite accurate at identifying white faces, but much less so when it comes to recognizing people of color.

It may be difficult to identify these kinds of biases with software as it often has to do with team makeup and other factors outside the purview of a software analysis tool, but Saha says they are trying to make that software approach as comprehensive as possible.

“If you look at SageMaker Clarify it gives you data bias analysis, it gives you model bias analysis, it gives you model explainability it gives you per inference explainability it gives you a global explainability,” Saha said.

Saha says that Amazon is aware of the bias problem and that is why it created this tool to help, but he recognizes that this tool alone won’t eliminate all of the bias issues that can crop up in machine learning models, and they offer other ways to help too.

“We are also working with our customers in various ways. So we have documentation, best practices, and we point our customers to how to be able to architect their systems and work with the system so they get the desired results,” he said.

SageMaker Clarify is available starting to day in multiple regions.

Ransomware and The Perils of Paying

Ransomware finds its victims by accident or intentionally and each week, the technology and business model adapt. Some pay the ransom to get back online faster and others don’t. The decision to pay is more complex than it appears and victims, IR firms, insurance companies and Bitcoin payers could be subject to fines and or criminal penalties.

“The increase in ransomware attacks over the last two years has been dramatic,” said Chris Keegan of Beecher Carlson. “Costs of attacks and payments have increased significantly, and the sophistication of the malware has increased substantially.”

  • Ransomware claims increased 239% from 2018 to 2019
  • Cost of ransomware payments increase 228% from 2018 to 2019
  • Average ransomware payments increased 31% from Q2 to Q3 2020
  • Ransomware payments in 2019 were 3X 2018 payments
  • Extortion demands paid in 2019 were 4X  2018 amounts
  • Ransomware incidents where data had been exfiltrated increased from 8.77% to 22% from Q1 to Q2 2020

Those data indicate widespread losses and begs the question, can this approach continue? If you are one of the companies that suffered a loss, it can be devastating. Keegan added that “cyber insurance payouts have increased significantly as a result of these developments and the markets are reacting by increasing premiums and seeking to provide tools to help insureds better identify and correct vulnerabilities. In addition, insurers are focusing on more careful selection of their policyholders.”

You Don’t Always Get What You Pay For

Attackers have become very sophisticated at pressuring victims to pay, but for enterprises, it’s not as simple as that.

Take the Blackbaud breach in May of this year. They reported “cybercriminals were able to remove a copy of a subset of data from Blackbaud’s self-hosted environment.” Blackbaud hired a third party firm to negotiate with the hackers, “we only paid the ransom when we received credible confirmation that the data was destroyed.”

Blackbaud is a “U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software.” In July they gave notice to their clients that while they suffered a breach, no sensitive customer data was involved. In September, Blackbaud filed its Form 8-K SEC filing to reflect “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”

Large cloud providers pose enormous risks to their downstream clients. Northshore University Health System had 348,000 patients lose PHI as a result of the Blackbaud incident. There are currently 23 class action lawsuits against Blackbaud and another 160 claims coming from USA, UK and Canada. They reported “breach related expenses of $3.6 million through September, with $2.9 mil in accrued insurance recoveries.”

It’s important to keep in mind that Blackbaud is a victim. Unfortunately, given the connected nature of their business model, offering services to non-profits, there is a shared responsibility for data that is ongoing. We place a higher burden on larger, publicly traded entities and expect them to embrace stewardship of our data better than we can ourselves.

Garden variety ransomware will encrypt data and seek a ransom payment in Bitcoin to “unlock” the files. In the above example, data was exfiltrated with a promise to destroy upon payment. The US Treasury and FBI have a policy against paying a ransom because it “not only encourages future ransomware payment demands but also may risk violating OFAC regulations….and threaten national security interests.”

Paying a Ransom Requires Resources…and Skill

As Blackbaud noted, they hired an independent forensic firm to negotiate on their behalf. And based on their disclosure, insurance reimbursed them for a percentage of that expense. On Oct 1, 2020, the Treasury Office of Foreign Asset Control (OFAC), issued an advisory cautioning companies against making ransom payments. But paying ransoms without violating the law requires a skilled team.

“Most payments where insurance companies are involved are made through specialist ransomware negotiation and incident response (“IR”) companies with experts in negotiations with threat actors”, says Keegan. “The Bitcoin wallets of these companies are usually the source of the payment – though a small number of cyber insurance companies have their own in-house experts and wallets. If the payments are small enough, they can be made on credit usually backed by the guarantee of the insurance company or the insured. As the IR firm that has the best knowledge of the threat actors, the insurance companies rely heavily on their expertise and on the investigation done by them for confirmation that they are in compliance with OFAC, FinCEN and any other payment regulations. The SLA agreements with the IR companies will often stipulate that it is their responsibility. Insurers will also be looking to breach counsel and their insured for confirmation.”

Blackbaud paid the ransom to protect its client data. Certainly, not having proper security in place or back ups is negligent in today’s world. But when hospitals are reduced to “paper operations” and cannot determine critical patient data or perform services as happened to the Universal Health Services 400 facilities, what is the greater harm? How did Blackbaud know that they were not diverting funds to a sanctioned person which could trigger a fine against Blackbaud, their IR firm or even the banks/exchanges facilitating the transfer into Bitcoin?

James Arnold of KPMG LLP shared a couple of interesting scenarios around attribution and the OFAC advisory. “How can the DFIR know for certain that a particular actor is responsible? And if the DFIR must represent that an SDN wasn’t involved, how can the Treasury prove us wrong? In October 2020, we began assisting a large multinational company who was suffering from a Wastedlocker attack. Following the release of OFAC’s October 1, 2020 Advisory, this company was advised by legal counsel that they could not deal with the hacker and as a result is experiencing significant business interruption and financial loss, to the point of possible bankruptcy.”

“This cannot be what OFAC intended,” Arnold added. “One radical suggestion might be to pass a law that says starting in January 2023, no US based companies will be allowed to pay any ransom related to a cyber-attack. This would force companies to begin enhancing their cyber security to address the most common control weaknesses that allow ransomware attacks to succeed like the lack of proper back-ups and failure to deploy MFA. NIST CF was phased in over several years and we now have better risk based controls and this would be a similar approach.”

Luke Emrich of RSM US LLP commented that his firm doesn’t make, get involved in, or facilitate any payment of ransom demands as part of an engagement. “No organization is ever the same after experiencing a ransomware event. We hope every ransomware victim has the ability to recover and rebuild in a way that leaves them stronger and more resilient to future attacks. The potential for OFAC sanctions may create a situation where a ransomware victim suffers a catastrophic loss, ultimately forcing them to close their doors due to damage and loss of systems, information and data required to run their business.”

“The struggle is when a business is faced with what is almost a life or death decision. Needing to pay to get their data back vs government penalties they will face from OFAC if they want to survive – they are going to pay 100% of the time – so the OFAC proclamation is ultimately meaningless. The penalty is an added cost of survival and the victim is just being taxed for being a victim,” said Keith Strassberg of Cybersafe Solutions, LLC.

OFAC Rules in Practice

David Tannenbaum, a former Treasury official, now of Blackstone Compliance Services LLC, notes “…this advisory is a reminder to the business community that OFAC regulations prohibit ransom payments to sanctioned persons. These prohibitions have always been in place, but OFAC typically issues advisories such as these when they see an uptick in risks or a prominent case and feel the need to raise awareness.”

The Treasury Dept. gets its authority to sanction individuals from EO 13694, and it can designate persons (individuals or an entity) who conduct certain cyber attacks. It’s confusing because they start with the malware families that are most damaging (Dridex, Wannacry, SamSam, Cryptolocker) and then attach persons (Evil Corp, etc.) to that malware once they have sufficient attribution. Arent Fox points out that there is a ‘Dridex Gang’ alias on the SDN list which is related to Dridex but is not the malware family. It’s well known that malware is shared by hackers and a Wastedlocker attack could be launched by someone other than the person designated.

This all means that a ransomware victim needs to know what the malware is and if they plan on paying the ransom, is there a SDN behind the attack? The other parties involved include the DFIR, the Insurance carrier and the payer, all of which could be held responsible. OFAC states that victims that involve law enforcement and document their actions to avoid interaction with SDN’s, is “a key mitigating measure to any sanctions enforcement case.”

“Attribution and enforcement of the OFAC and FinCEN rules may become more difficult due to moves away from Bitcoin to other crypto currencies which provide greater anonymity,” offered Keegan. “Further, tactics techniques and procedures (TTPs) which are typically used for attribution are becoming increasingly shared with the rise of Ransomware as a Service. Ransomware criminals are eager not to put up any roadblocks to payment and go through great lengths to preserve their anonymity using frequently rotated burner cryptocurrency wallets. To date, we have not seen companies in the insurance industry, or their vendors, seek to get a license from the Treasury for an exception to OFAC rules for payment of ransomware.”

“Attribution has been a tough aspect during these matters. We all know definitive attribution is very difficult but even speculation of an OFAC-listed entity may preclude the facilitation of payments. This is where we need clarity and improvement, said Anthony Dagostino of Lockton Companies.

Jeremy Murtishaw of DFIR firm Fortify24x7 says, “understanding the ‘who’, an individual or an APT group, is a difficult task. It requires the incident response team to really understand the source of the malware being used to distribute the ransomware, so informing OFAC and the FBI is required in advance of making the payment.”

Chris Prewitt of MCPC also noted the challenges DFIR firms face. “Attribution is incredibly difficult, and while OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program, quite often the victim organization has no idea who the criminal is or where they are located. How are they going to be certain of this? It seems like this is a poor attempt at slowing down ransom payments.”

Tannenbaum recommends that “DFIRs setup policies and procedures that outline key steps which it would take in each case to determine if there is a sanctions nexus. This process should be documented (such as to produce a checklist) to evidence the due diligence, which the other parties involved can reference when doing their own assessment.”

“At a high level, some of these controls may be:

❖ Using threat intelligence tools to determine if any of the evidence left behind (e.g. malware, ransom note, name of attacker, etc.) have been previously tied to a sanctioned party;

❖ Examining the cryptocurrency address to determine, through address clustering or other methods, whether the address provides any clues to the attacker’s provenance; and

❖ Examining the malware to determine if it is the same or similar to other malware attacks by sanctioned actors.”

If the DFIR conducts this analysis, it can categorize the attack as having: a SDN nexus; no SDN nexus or not certain…a gray area. The third category will enable the victim to make a risk based decision and pay the ransom, not knowing if it could later be determined it had a nexus with a SDN.

There is another option and that includes getting a license from Treasury to pay the fine, even though it is a SDN behind the malware. However, Tannebaum cautions, “OFAC can issue a license to pay a ransom but stated in their advisory that they presume they will deny a license request…attacks which endanger the life and safety of individuals may be more likely to receive a license than ones which just disrupt commercial operations.”

Keegan noted that “a review of the OFAC and FinCEN fine lists over the last few years do not show any fines due to ransomware payments.”

Insurance Risk Transfer

Buying cyber insurance can offset losses and, in many cases, prevent losses if proactive services offered by the carrier are properly utilized. But if there is a ransom event, IR firms that have earned a slot on the insurance panels have the best shot at recovering data and successfully negotiating Bitcoin transfer. But can the cyber insurance market continue to support ransomware fines when they appear to be out of control?

“Most cyber insurance policies do not have specific exclusions for payment of ransomware which might be subject to OFAC and FinCEN restrictions but incorporate provisions which freeze the effect of the policy and make it subject to OFAC oversight in the event an entity or person claiming the benefits of the policy has violated any sanctions law,” said Keegan. “Insurance companies have indicated that they will be reluctant to act if that action is illegal, could affect their licensing or subject them to fines and penalties. However, our experience is that cyber insurance companies are honoring their contractual obligations and paying claims except for a very few cases where there is very clear evidence of payment to a banned entity. In those cases, the insureds, banks and IR firms are all under the same restrictions.”

That view is shared by other insurance brokers. “Insurance policies are written to respond to threats and losses suffered by the insured. You won’t see policies addressing ‘who is the origin of the bad actor’. If the insured organization suffers a covered loss, the insurers intend to cover it. There can be limitations in the form that could come into play such as a war or terrorism exclusion as well as an OFAC endorsement,” said David Lewison of AMWins Insurance.

“To date, the insurance market has not limited coverage for cyber-attacks but there have been adjustments in premium to cover the increased losses,” offered Keegan. How big are the price increases to keep your cyber insurance coverage or to add new coverage? “Insurance carrier increases of zero to five percent rate in the second quarter 2020, gave way to five to fifteen percent increases in the third quarter which were raised again to ten to thirty percent in the fourth quarter.. Not all increases are in this range, but cyber insurance buyers should be prepared for requests at these levels. Some adjustments to the structure of programs, such as raising retentions, can be made to limit the increased costs and carriers are amenable to these discussions.”

But all coverage may be out the window if it involves a sanctioned entity involved with a ransomware payment. “The OFAC endorsements can become an issue if a ransom demand emanates from a country on the OFAC list. If the insurer is legally barred from sending funds to a listed country, there will be a problem paying off a ransom to recover systems or data. In this instance I would not expect all coverage to be taken away, just the ransom payment. There are other parts of the policy that would still respond to pay expenses associated with business interruption, forensics, data recovery, the potential for hardware replacement coverage depending on the policy form, legal fees and more,” Lewison added.

“Insureds typically understand OFAC restrictions in general but more education and advice is needed in the area of ransomware and how coverage responds. We’re also concerned with insurers that hold up covered expenses associated with the ransom. While prohibiting the actual demand payment is understandable if deemed to be the act of an SDN, holding up the business interruption loss or other IR costs is problematic,” added Dagostino.

“Ransomware has driven so many losses for the cyber insurance market, we’re seeing much more scrutiny of company’s controls for ransomware in the underwriting process before an event occurs. I think it’s likely we’ll see similar increases in scrutiny of the payments after an event as well,” said Dan Burke of Woodruff Sawyer.

Keegan shares a positive view on the OFAC advisory. “To date, the insurance market has seen only a small minority of situations where payments have been held up because of an indication that the payments might be being made to OFAC and FinCEN restricted entities. First, there are only a handful of known threat actor groups or individuals listed on the known Specially Designated Nationals (“SDN”) lists in addition to a short list of sanctioned nation states (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Further, there are very few instances where attribution can be made with a degree of certainty. Many businesses will not be able to get enough information on attribution before a decision is made on payment and so will be taking a risk in order to get their businesses operating.”

“Over the past few years insurance has created a database of bad actors…. which ones will provide functional decryption keys, which [hackers] may return looking for additional ransom and which ones may negotiate on the ransom amounts. We would hate to hear that someone paid a ransom and did not get their data back or have it corrupted beyond recovery. Having that institutional knowledge is another advantage of buying cyber insurance rather than tackling the problem alone,” said Lewison.

Conclusion

Ransomware victims need to be aware of the potential consequences of paying extortion. “Civil penalties per violation can be up to $307,922 or twice the value of the payment at issue (whichever is higher); and criminal penalties for knowing violations can be up to $1,000,000 and 20 years in prison.”

The decision to pay needs to come from senior management as they could suffer reputation damage in addition to the above penalties.

Every major standards body for cyber safety has set forth best practice for avoiding ransomware attacks. A good security stack on the endpoint is needed along with back ups and a plan to respond when hit. But most companies haven’t factored paying extortion into their risk analysis and where should this task fall?

“It is important for each actor to consider the sanctions risks from where they sit in the transactional chain,” offers Tannenbaum. “OFAC regulations prohibit both the payment and any actions which facilitate the payment such as insurance and advice. Each type of entity should consider whether they have a sanctions compliance program, and policies and procedures to address their relevant sanctions risks.”

Insurance companies have been investing heavily in proactive risk mitigation to avoid this mess altogether. “We recommend that companies should have proper business continuity and disaster recovery plans in place and regularly tested so that payment of ransomware is not the organization’s only choice,” said Keegan. “Backups of critical systems should be segmented and stored offline. Companies should have a well-documented and ransomware specific incident response plan to allow clear and efficient decision-making to weigh legal risks against the risks to the business”.

Ransomware is hitting all major companies daily and because they have proper controls and back ups in place, we don’t read about them.  Prepare…and stay out of the news!

We want to thank our contributors: Chris Keegan, David Lewison, David Tannenbaum, James Arnold, Anthony Dagostino, Dan Burke, Jeremy Murtishaw, Luke Emrich, and Chris Prewitt


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security