Recently the ALPHV/BlackCat ransomware gang has taken a different tact from the traditional mutli-extortion model. In the past, ransomware gangs would contact customers of a victim and let them know their victim has information about them and if they don’t want that public, they should influence the victim to pay their ransom amount. ALPHV filed a complaint with the Security and Exchange Commission (SEC) stating their victim (MeridianLink) had not disclosed a breach within the 4 day requirement from the SEC. It appears this is an attempt to influence MeridianLink to pay the ransom sooner than later. This is an interesting spin on the traditional tactic used and one that could become more pronounced in 2024. The 4 day disclosure requirement doesn’t go into effect until December 15, 2023, but still it could be an incentive to businesses who are victims of ransomware attacks, or a data exfiltration attack, to communicate more quickly with their attackers. I would predict that this may spur businesses to adhere to the SEC disclosure requirement more often than not. The interesting piece with that disclosure rule is that the organisation needs to determine whether the event is material to their business. This could delay their need to disclose, which if the adversary decides to use the SEC complaint filing tactic, could put the business in a bind.
While we do not recommend victims paying an extortion fee, as our research has shown that every payment can provide revenues that can be used to launch 6-11 new attacks against new victims, every business will need to make a decision on their own whether they pay or not. Some suggestions to minimise the risks associated with an attack:
- Ensure you have a well-designed incident response plan and that you regularly test it.
- Decide now whether you will pay an extortion fee (you may discuss with a cyber insurance firm on this too). As part of the incident response plan, have a designated negotiator to interface with the adversary.
- If you are a public company, review the new SEC rulings around this in order to make sure you follow the rules properly. Also, decide now what would constitute a material event so you don’t have to figure it out during an incident.
- Do an audit with your security vendors to ensure you’re using their solutions properly and with best practises in place.
- Investigate using one of the new cybersecurity platforms that incorporates Attacks Surface Risk Management and XDR that can improve your visibility and speed with which you defend against attacks.
This new tactic used by ALPHV/BlackCat may be something that will become more commonplace by our adversaries, but with proper preparation a business can be ready to defend itself against these.