Cybercriminals are becoming more aggressive in their effort to maximize disruption and force payment of ransom demands, and there is a new extortion tactic at play.
In early November, the notorious ransomware gang ALPHV, also known as BlackCat, attempted a first-of-its-kind extortion tactic: weaponizing the US government's new data breach disclosure rules against one of the the gang's own victims. ALPHV filed a complaint with the U.S. Securities and Exchange Commission (SEC), alleging that digital loan provider MeridianLink failed to disclose what the cybercriminal group called “a significant breach that compromises customer data and security.” operational information", so the band took the credit.
"We want to bring to your attention a concerning issue regarding MeridianLink's compliance with recently adopted cybersecurity incident disclosure rules," ALPHV wrote. "It has come to our attention that MeridianLink has not filed the disclosure required under Item 1.05 of Form 8-K within the stipulated four business days, as required by the new SEC rules."
ALPHV's latest extortion effort is the first example of what is expected to be a trend in the coming months now that the rules have come into effect. While novel, this is not the only aggressive tactic used by ransomware and extortion gangs.
Hackers, typically known for deploying ransomware, have increasingly turned to “double extortion” tactics, whereby, in addition to encrypting the victim's data, gangs threaten to release the stolen files unless a fee is paid. rescue. Some go further with “XNUMXPS extortion attacks”, which, as the name suggests, hackers use a three-pronged approach to extort their victims by extending threats and ransom demands to customers, suppliers and associates of the original victim. These tactics were used by the hackers behind the massive, powerful attacks on MOVEit, which are a key development in the trend toward extortion attempts without encryption.
While ambiguous definitions may not seem like the biggest cybersecurity problem facing organizations today, the distinction between ransomware and extortion is important, especially since defense against these two types of cyberattacks can vary greatly. The distinction also helps policymakers know where ransomware is trending and whether anti-ransomware policies are working.
What is the difference between ransomware and extortion?
The Ransomware Task Force describe ransomware as an “evolving form of cybercrime, through which criminals remotely compromise computer systems and demand a ransom in exchange for restoring and/or not exposing data.”
In reality, ransomware attacks can have a spectrum of impact. Ransomware experts Allan Liska, Threat Intelligence Analyst at Recorded Future, and Brett Callow, Threat Analyst at Emsisoft, shared in an analysis that this broad definition of ransomware can apply to both “scams,” we download the contents of their instance Elasticsearch insecure with $50 attacks” to “disruptive encryption-based attacks that threaten the lives of hospitals.”
"Clearly, though, they are very different animals," Liska and Callow said. "One is an opportunistic pirate who steals your Amazon delivery, while the other is a team of violent criminals who break into your home and terrorize your family before taking all your possessions."
Researchers say there are similarities between “encrypt and extort” attacks and “extortion-only attacks,” such as their reliance on middlemen who sell access to breached networks. But there are also important distinctions between the two, particularly in the victim's clients, suppliers, and customers, whose own sensitive data can be caught up in extortion-only attacks.
“We see this happening repeatedly, where a threat actor classifies the stolen data to find the largest or most well-known organization it can find and claims to have successfully attacked that organization. “This is not a new tactic,” Liska and Callow said, citing an example of how a ransomware gang claimed it had hacked a major tech giant, when in reality it had stolen data from one of its lesser-known technology providers.
"It's one thing to prevent an attacker from encrypting files on your network, but how do you protect your entire data supply chain?" Liska and Callow said. “In fact, many organizations are not thinking about their data supply chain… but every point in that supply chain is vulnerable to a data theft and extortion attack.”
A better definition of ransomware is needed
While authorities have long discouraged hacked organizations from paying ransom demands, it is not always an easy decision for businesses affected by hackers.
In encryption and extortion attacks, companies have the option of paying the ransom to obtain a key that decrypts your files. But when you pay hackers who use aggressive extortion tactics to delete your stolen files, there is no guarantee that the hackers will actually do it.
This was demonstrated in the recent ransomware attack against Caesars Entertainment, which paid hackers in an attempt to prevent the disclosure of stolen data. By its own admission, Caesars told regulators that "we have taken steps to ensure that the unauthorized actor deletes the stolen data, although we cannot guarantee this outcome."
“In fact, it should be assumed that they will not,” Liska and Callow said, referring to claims that hackers delete stolen data.
“A better definition of ransomware, which takes into account the distinction between different types of attacks, will allow organizations to better plan and respond to any type of ransomware attack, whether it occurs within their own network or that of a third» Liska and Callow comment.
