Why extortion is the brand new ransomware risk

Cybercriminals have gotten extra aggressive of their effort to maximise disruption and compel the fee of ransom calls for, and now there’s a brand new extortion tactic in play.

In early November, the infamous ALPHV ransomware gang, often known as BlackCat, tried a first-of-its-kind extortion tactic: weaponizing the U.S. government’s new data breach disclosure rules in opposition to one of many gang’s personal victims. ALPHV filed a criticism with the U.S. Securities and Change Fee (SEC), alleging that digital lending supplier MeridianLink didn’t disclose what the gang referred to as “a significant breach compromising customer data and operational information,” for which the gang took credit.

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” ALPHV wrote. “It has come to our attention that MeridianLink has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

ALPHV’s newest extortion effort is the primary instance of what’s anticipated to be a pattern within the coming months now that the rules have taken effect. Whereas novel, this isn’t the one aggressive tactic utilized by ransomware and extortion gangs.

Hackers usually identified for deploying ransomware have more and more shifted to “double extortion” ways, whereby along with encrypting a sufferer’s information, the gangs threaten to publish the stolen recordsdata except a ransom demand is paid. Some are going additional with “triple extortion” assaults, which — because the title suggests — hackers use a three-pronged strategy to extort cash from their victims by extending threats and ransom calls for to clients, suppliers and associates of the unique sufferer. These ways have been utilized by the hackers behind the wide-reaching MOVEit mass-hacks, which stands as a key occasion within the pattern in the direction of encryption-less extortion makes an attempt.

Whereas ambiguous definitions may not seem to be the largest cybersecurity challenge dealing with organizations as we speak, the excellence between ransomware and extortion is essential, not least as a result of defending in opposition to these two sorts of cyberattacks can fluctuate wildly. The excellence additionally helps policymakers know which manner ransomware is trending and whether or not counter-ransomware insurance policies are working.

What’s the distinction between ransomware and extortion?

The Ransomware Process Power describes ransomware as an “evolving form of cybercrime, through which criminals remotely compromise computer systems and demand a ransom in return for restoring and/or not exposing data.”

In actuality, ransomware assaults can fall on a spectrum of influence. Ransomware consultants Allan Liska, risk intelligence analyst at Recorded Future, and Brett Callow, risk analyst at Emsisoft, shared in an evaluation with TechCrunch that this broad definition of ransomware can apply to each “scammy ‘we downloaded the contents of your insecure Elasticsearch instance and want $50’ attacks” to disruptive “threat-to-life encryption-based attacks on hospitals.”

“Clearly, though, they’re very different animals,” mentioned Liska and Callow. “One is an opportunistic porch pirate who steals your Amazon delivery, while the other is a team of violent criminals who break into your home and terrorize your family before making off with all your possessions.”

The researchers say there are similarities between “encrypt-and-extort” assaults and “extortion-only attacks,” comparable to their reliance on brokers that promote entry to breached networks. However there are additionally essential distinctions between the 2, notably on a sufferer’s shoppers, distributors, and clients, whose personal delicate information will be caught up in extortion-only assaults.

“We see this play out repeatedly, where a threat actor will sort through stolen data to find the largest or most recognized organization they can find and claim to have successfully attacked that organization. This is not a new tactic,” mentioned Liska and Callow, citing an instance of how one ransomware gang declared that it had hacked a significant tech large, when in truth it had stolen information from certainly one of its lesser-known know-how distributors.

“It is one thing to prevent an attacker from encrypting the files on your network, but how do you protect your entire data supply chain?” mentioned Liska and Callow. “In fact, many organizations aren’t thinking about their data supply chain… but each point in that supply chain is vulnerable to a data theft and extortion attack.”

A greater definition of ransomware is required

Whereas authorities have lengthy discouraged hacked organizations from paying ransom calls for, it’s not always an easy decision for hacker-hit companies.

In encrypt-and-extort assaults, firms have the choice to pay the ransom demand to get a key that decrypts their recordsdata. However when paying hackers using aggressive extortion ways to delete their stolen recordsdata, there isn’t any assure that the hackers truly will.

This was demonstrated in the recent ransomware attack against Caesars Entertainment, which paid off the hackers in a bid to stop the disclosure of stolen information. By its personal admission, Caesars instructed regulators that, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

“In fact, you should assume they won’t,” mentioned Liska and Callow, referring to claims that hackers delete stolen information.

“A better definition of ransomware, which accounts for the distinction between the different types of attacks, will enable organizations to better plan for, and respond, to any type of ransomware attack, whether it occurs inside their own or in a third party’s network,” mentioned Liska and Callow.