Cyber criminals are happening more aggressive in their efforts to maximize disruption and force payment of ransom demands, and now there is a new extortion tactic in play.
In early November, the notorious ALPHV ransomware gang, also known as BlackCat, attempted a first-of-its-kind blackmail tactic: weaponizing the US government’s new data breach disclosure rules against one of the gang’s victims. ALPHV filed a complaint with the US Securities and Exchange Commission (SEC), alleging that digital lending provider MeridianLink failed to disclose what the gang called a “significant breach that compromised customer data and operational information,” for which the gang took the credit.
“We would like to bring to your attention an issue of concern regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” ALPHV wrote. “It has come to our attention that MeridianLink has failed to file the required disclosure pursuant to Item 1.05 of Form 8-K within the prescribed four business days as required by the new SEC rules.”
ALPHV’s latest extortion attempt is the first example of what is expected to be a trend in the coming months now that the rules are in place. Although innovative, this is not the only aggressive tactic used by ransomware and extortion gangs.
Hackers typically known for developing ransomware have increasingly turned to “double extortion” tactics, where in addition to encrypting a victim’s data, the gangs threaten to publish the stolen files unless a ransom is paid. Some go further with “triple extortion attacks’, which – as the name suggests – hackers use a three-pronged approach to extort money from their victims by extending threats and ransom demands to the original victim’s customers, suppliers and partners. These tactics were used by the hackers behind the wide-ranging mass breaches of MOVEit, which is a key event in the trend towards non-encryption extortion attempts.
While ambiguous definitions may not seem like the biggest cybersecurity issue facing organizations today, the distinction between ransomware and extortion is important, not least because defenses against these two types of cyberattacks can differ greatly. The distinction also helps policymakers know what the ransomware trend is and whether anti-ransomware policies are working.
What is the difference between ransomware and extortion?
The Ransomware Task Force describes ransomware as “an evolving form of cybercrime, through which criminals remotely compromise computer systems and demand a ransom in exchange for restoring and/or not exposing data.”
In fact, ransomware attacks can fall on a spectrum of impact. Ransomware experts Allan Liska, threat intelligence analyst at Recorded Future, and Brett Callow, threat analyst at Emsisoft, shared in an analysis with TechCrunch that this broad definition of ransomware can apply to both “scammy” downloaded content of your insecure Elasticsearch presence and want $50 attacks” to prevent “life-threatening encryption attacks in hospitals”.
“Clearly, though, they’re very different animals,” Liska and Callow said. “One is an opportunistic porch pirate who steals delivery to the Amazon, while the other is a group of violent criminals who break into your home and terrorize your family before making off with all your possessions.”
Researchers say there are similarities between “encryption and extortion” attacks and “extortion-only attacks,” such as their reliance on brokers who sell access to compromised networks. However, there are also important distinctions between the two, particularly when it comes to a victim’s customers, vendors, and customers, whose sensitive data can be captured in extortion-only attacks.
“We see this play out over and over again, where a threat actor will sort through the stolen data to find the largest or most recognized organization they can find and claim to have successfully attacked that organization. This is not a new tactic,” Liska and Callow said, citing an example of how a ransomware gang claimed to have hacked a major tech giant, when in fact it had stolen data from one of the lesser-known technology vendors.
“It’s one thing to prevent an attacker from encrypting the files on your network, but how do you protect the entire data supply chain?” Liska and Callow said. “In reality, many organizations don’t think about their supply chain … but every point in that supply chain is vulnerable to a data theft and extortion attack.”
A better definition of ransomware is needed
While authorities have long discouraged compromised organizations from paying ransom demands, it’s not always an easy decision for businesses hit by hackers.
In encryption and extortion attacks, companies have the option of paying a ransom demand to receive a key that decrypts their files. But when you pay hackers who use aggressive blackmail tactics to delete their stolen files, there’s no guarantee that the hackers will actually do it.
This was demonstrated in the recent ransomware attack against Caesars Entertainment, which the hackers attributed to an attempt to prevent the disclosure of stolen data. By its own admission, Caesars told regulators that, “We have taken steps to ensure that the stolen data is deleted by the unauthorized party, although we cannot guarantee that outcome.”
“Actually, you’d have to assume they wouldn’t,” Liska and Callow said, referring to claims that hackers delete stolen data.
“A better definition of ransomware, which explains the distinction between different types of attacks, will allow organizations to better plan and respond to each type of ransomware attack, whether it occurs within their own network or a third-party network. Liska and Callow said.
