Hackers Turn SEC Snitches: The Evolution of Ransomware Tactics

Ransomware Gang turns Whistleblower to the SEC

Once upon a time, ransomware was like the annoying cousin at a family reunion – it showed up, made a mess by encrypting your data, and demanded money to leave you alone. But like that cousin who learns new tricks to annoy you, ransomware is evolving.

Enter ALPHV (also known as “BlackCat”), a ransomware group that’s decided if you can’t beat ’em, join ’em… sort of. In a twist that feels like a plot from a cyber-crime movie, they’ve filed a complaint with the SEC (yes, the Securities and Exchange Commission) against one of their victims, MeridianLink. Why? Because apparently, MeridianLink didn’t spill the beans on their data breach quickly enough under new SEC rules.

Here’s the bulleted summary of this cyber saga:

  • ALPHV attacked MeridianLink, nabbing their data without the usual encrypt-your-files routine.
  • ALPHAV tried to negotiate a ransom, but MeridianLink wasn’t playing ball.
  • So, ALPHV posted the stolen data online and then filed a complaint with the SEC, claiming MeridianLink broke the rules by not disclosing the breach pronto.
  • Patrick Tiquet from Keeper Security drops this truth bomb: “Disclosure decisions… are no longer solely guided by security best practices; federal legal liabilities also play an important role.
  • The SEC had rolled out new rules requiring companies to fess up about “material” cyber incidents within four business days.
  • ALPHV, in their newfound role of law-abiding citizen, alerted the SEC about MeridianLink’s non-compliance.
  • But here’s the kicker: the SEC’s new rule doesn’t even kick in until December 18, 2023. Plus, MeridianLink isn’t sure if any sensitive data was actually compromised.

So, what’s the big deal here?

New Extortion Technics will Encourage Future Breach Payments

It seems ransomware gangs have a new extortion method in their bag of tricks.  Whether they expected to get a ransomware payment out of MeridianLink is not the issue here.  BlackCat is setting a precedent so future attacks will be reported if the ransom is not paid because bad actors will report you if you don’t.  The precedent will undoubtedly add weight to a Ransomware threat that you either “Pay up, or be reported to authorities.” The arm-twisting by hackers just got a regulatory boost!  SEC be careful what you wish for with your legislative might. This move by ALPHV signals a treacherous twist where cybercriminals use legal frameworks to pressure their victims into payment.

Key Take-Aways:

  • Ransomware isn’t just about encryption anymore; it’s about data theft, data exposure, the regulatory fines for non-compliance.
  • Hackers are getting creative, using SEC rules as a new weapon in their extortion arsenal.
  • Companies must consider both cybersecurity and legal compliance issues post-breach.
  • The evolution of ransomware shows that hackers are willing to explore uncharted territories to get paid.
  • Update your incident response processes to consider legal and regulatory notifications within 4 days of a confirmed data breach.

As Patrick Tiquet warns, “Using the threat of filing a ‘failure to report’ complaint…to the SEC is a compelling tactic that could weaponize a government regulation for a cybercriminal group’s benefit.

Prevention is Still the Key

The best approach to Ransomware is to prevent it from happening to begin with.  That boils down to three simple approaches:

    1. Establish a robust technical protection program with your IT Team or MSP.  From EDR/XDR to patch management to vulnerability scanning to SIEM.  All avenues of technical monitoring and prevention need to be in place.
    2. Train your employees to spot advanced social engineering attacks via email, text message, phone calls, and even QR codes.
    3. Test employees with engaging, positive outcome phishing simulations to ensure they apply their knowledge to all their devices all the time.

Ransomware Evolution Conclusion

In conclusion, in the article “ALPHV Playing Cop and Robber at the Same Time,” we see a glimpse into the future of ransomware attacks. It’s no longer just about securing your digital fortresses. It’s now also about navigating the treacherous waters of legal obligations. Hackers are getting smarter and bolder, and turning into SEC snitches to grease future extortion requests.  As prevention techniques evolve and get better, ransomware gangs also evolve extortion techniques to ensure every last successful breach pays up. 

Are you ready? Are you doing everything possible to avoid being the next news story?  The time to prepare your company and protect your data is today, ahead of a breach.  As Benjamin Franklin once said (in his case about fire prevention): “An ounce of prevention is worth a pound of cure.”  It is as true today about cybersecurity breach prevention as it was 200 years ago on fire prevention. 

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.