Cybercriminals are becoming more aggressive in their effort to maximize disruption and compel the payment of ransom demands, and now there’s a new extortion tactic in play.
In early November, the notorious ALPHV ransomware gang, also known as BlackCat, attempted a first-of-its-kind extortion tactic: weaponizing the U.S. government’s new data breach disclosure rules against one of the gang’s own victims. ALPHV filed a complaint with the U.S. Securities and Exchange Commission (SEC), alleging that digital lending provider MeridianLink failed to disclose what the gang called “a significant breach compromising customer data and operational information,” for which the gang took credit.
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” ALPHV wrote. “It has come to our attention that MeridianLink has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
ALPHV’s latest extortion effort is the first example of what is expected to be a trend in the coming months now that the rules have taken effect. While novel, this isn’t the only aggressive tactic used by ransomware and extortion gangs.
Hackers typically known for deploying ransomware have increasingly shifted to “double extortion” tactics, whereby in addition to encrypting a victim’s data, the gangs threaten to publish the stolen files unless a ransom demand is paid. Some are going further with “triple extortion” attacks, which — as the name suggests — hackers use a three-pronged approach to extort money from their victims by extending threats and ransom demands to customers, suppliers and associates of the original victim. These tactics were used by the hackers behind the wide-reaching MOVEit mass-hacks, which stands as a key event in the trend toward encryption-less extortion attempts.
While ambiguous definitions might not seem like the biggest cybersecurity issue facing organizations today, the distinction between ransomware and extortion is important, not least because defending against these two types of cyberattacks can vary wildly. The distinction also helps policymakers know which way ransomware is trending and whether counter-ransomware policies are working.
What’s the difference between ransomware and extortion?
The Ransomware Task Force describes ransomware as an “evolving form of cybercrime, through which criminals remotely compromise computer systems and demand a ransom in return for restoring and/or not exposing data.”
In reality, ransomware attacks can fall on a spectrum of impact. Ransomware experts Allan Liska, threat intelligence analyst at Recorded Future, and Brett Callow, threat analyst at Emsisoft, shared in an analysis with TechCrunch that this broad definition of ransomware can apply to both “scammy ‘we downloaded the contents of your insecure Elasticsearch instance and want $50’ attacks” to disruptive “threat-to-life encryption-based attacks on hospitals.”
“Clearly, though, they’re very different animals,” said Liska and Callow. “One is an opportunistic porch pirate who steals your Amazon delivery, while the other is a team of violent criminals who break into your home and terrorize your family before making off with all your possessions.”
The researchers say there are similarities between “encrypt-and-extort” attacks and “extortion-only attacks,” such as their reliance on brokers that sell access to breached networks. But there are also important distinctions between the two, particularly on a victim’s clients, vendors and customers, whose own sensitive data can be caught up in extortion-only attacks.
“We see this play out repeatedly, where a threat actor will sort through stolen data to find the largest or most recognized organization they can find and claim to have successfully attacked that organization. This is not a new tactic,” said Liska and Callow, citing an example of how one ransomware gang declared that it had hacked a major tech giant, when in fact it had stolen data from one of its lesser-known technology vendors.
“It is one thing to prevent an attacker from encrypting the files on your network, but how do you protect your entire data supply chain?” said Liska and Callow. “In fact, many organizations aren’t thinking about their data supply chain… but each point in that supply chain is vulnerable to a data theft and extortion attack.”
A better definition of ransomware is needed
While authorities have long discouraged hacked organizations from paying ransom demands, it’s not always an easy decision for hacker-hit businesses.
In encrypt-and-extort attacks, companies have the option to pay the ransom demand to get a key that decrypts their files. But when paying hackers employing aggressive extortion tactics to delete their stolen files, there is no guarantee that the hackers actually will.
This was demonstrated in the recent ransomware attack against Caesars Entertainment, which paid off the hackers in a bid to prevent the disclosure of stolen data. By its own admission, Caesars told regulators that, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
“In fact, you should assume they won’t,” said Liska and Callow, referring to claims that hackers delete stolen data.
“A better definition of ransomware, which accounts for the distinction between the different types of attacks, will enable organizations to better plan for, and respond, to any type of ransomware attack, whether it occurs inside their own or in a third party’s network,” said Liska and Callow.