The dangers of quadruple blow ransomware attacks

Lock on Laptop Screen
(Image credit: (Image credit: Future)

For the first time, a ransomware gang has reported one of its victims to the authorities. This has never happened before and shows the continuing evolution of their business models to maintain pressure on the victim organisations. With this new mechanism, criminal actors are using the threat of potential regulatory fines as an additional incentive for those who fall victim to their attacks to pay the ransom.

The ransomware group AlphV says it has filed a complaint with the American Securities and Exchange Commission (SEC) because its victim, MeridianLink, did not report their successful attack that resulted in data loss. The pressure on companies is growing to structure their measures in the event of successful attacks. This is effectively a quadruple blow against the victims: the data is encrypted, then exfiltrated and published. The people affected end up being harassed and the company ends up being reported to the regulatory authority.

James Blake

Field CISO of EMEA at Cohesity.

Why are ransomware groups choosing this new method?

The route through the authorities is powerful, because new requirements such as NIS 2.0 and the changes to the SEC statutes force companies to report successful cyber attacks and possible consequences within a tight deadline. The new SEC regulations go into effect on December 15th and give victims four days. In the EU, Great Britain, South Africa and Australia, companies only have 72 hours to do this, and in Singapore and China only 24 hours.

Companies already have a very tight window to investigate the cyber incident, all while their security operations centers are drowning in huge numbers of false positives and alerts that often provide very little context of an attack. To understand the operational and regulatory impact of an incident, you need to find out what data has been compromised by attacks, as well as its business and regulatory impact. This problem is further exacerbated by the fact that if their data is encrypted, the organization won’t normally be able to ascertain its regulatory impact. This then has to be explained to the regulator in a detailed report, and in many cases the data subjects whose data has been compromised must be contacted. This all may need to happen while security operations tooling and communications platforms are impacted by the ransomware attack themselves. With cybercriminals now showing a willingness to self-report the breach, companies will come under even more pressure. And more likely to agree to a ransom payment.

We expect hacker groups to use every possible means to obtain ransom money and that reporting to the authorities is the last step in a multi-stage blackmail attempt. It is the ultimate last act to drag the victim into the public eye when the ransom negotiations have failed as a deterrent to other future victims from holding out against paying the ransom. This is further evidenced by the fact that for decades we have seen data exfiltration attacks where the perpetrators have chosen to sell the stolen data rather than threaten to publish it if a ransom isn’t paid.

Being reported to authorities such as the SEC and possibly having to pay fines is certainly bad for the companies concerned. From a cost perspective, however, other tasks are more difficult. Once someone has successfully broken in, IT and security teams must do everything they can to determine the path of the break-in, find possible compromised systems, and eliminate all elements of the attack. The cost of clean ups far exceed the potential regulatory penalties, as the MGM case shows. This casino company was unable to use certain services and data during the cyber incident and lost an estimated $110 million as a result. The costs of attack analysis and recovery are often higher than the legal penalties themselves. Therefore, it is also worthwhile for companies to modernize their incident response and cyber resilience capabilities in order to reduce downtime and improve the entire incident response process.

How can organizations protect themselves?

Cyber resilience means ensuring that even under attack, the organization maintains the means to understand what data was impacted and they can communicate with regulators and impacted data subjects; they can investigate the nature of the attack even when evidence is encrypted or wiped; then they can mitigate the threats and recover their services effectively and efficiently. The house is rebuilt, but stronger than before without the structural defects and the future attack is repelled.

Unfortunately, most companies have not yet taken this approach and fall back on traditional business continuity and disaster recovery approaches of “recovering last backup” that were designed for scenarios like flood, fire and power loss: all scenarios where root cause is well understood. In a cyber attack we face an adaptive human adversary and an often large attack surface, incident response activities are critical to preventing future attacks.

I have seen first hand as an incident responder who has been brought in after the customer had tried over 17 times to restore tens-of-thousands of servers, only to have them compromised within minutes. This costs an enormous amount of time and with ransomware attacks, every second means the organization isn’t delivering products and services or meeting contractual obligations. This impact is compounded by the fact that the 72 hour or four day reporting requirement is being violated on a mass scale.

The incident proves once again that instead of chasing the illusion of complete cyber security, companies should shift their focus to cyber resilience. Only then will they be able to withstand attacks with minimal impact on the organization and customers, be it operational or regulatory.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

James Blake

James Blake is Field CISO of EMEA at Cohesity.