While shocking to many, the reports that ALPHV/BlackCat tattled on one of its victims – MeridianLink – to the U.S. Securities and Exchange Commission (SEC) isn’t surprising in the ever-evolving ransomware economy. And the SEC found themselves in the unusual situation of being tipped off about the attack…by the attackers themselves.
I’ve always said that to predict what cybercriminals will come up with next, just follow the recipe of maximizing profit while minimizing time and effort, removing all morality, with a dash of “avoiding undue government scrutiny.” And this tactic fits right into the mold. It’s not new: the blackmailer threatens to expose their victim if they refuse to pay.
As the new SEC disclosure ruling comes into effect Dec. 15, requiring that companies report “material” cybersecurity incidents within four days, expect this tactic to become the norm in ransomware attacks. The SEC will have an army of not-so-altruistic helpers.
Some will argue that this aggressive move could leave the group in the crosshairs of U.S. law enforcement agencies. Drawing unneeded attention to themselves isn’t wise if they are looking to keep the gravy train of profitability running. But I’m not convinced this would move ALPHV/BlackCat more in the federal government’s crosshairs than they already are; we have to assume the SEC or an associated agency is already monitoring dark web exposure sites to see what data gets posted by organiztions. ALPHV/BlackCat may simply confirm what the SEC already knows about.
Overall, it doesn’t makes sense to pay a ransom unless it’s a life and death situation. In fact, most companies that pay the ransom fall victim a second and third time. There are legal consequences as well: in 2021, a family in Mobile, Ala., sued a hospital claiming they failed to notify them about a ransomware attack that took medical equipment offline and disrupted services. Tragically, a baby died and the family claimed in its lawsuit the death was the result of medical equipment being offline because of the ransomware attack.
When ransomware attacks make headlines, it’s important to remind victims that there’s light at the end of tunnel. Make no mistake, ransomware attacks can cripple some organizations. But in a target-rich environment, defenders can make it difficult enough for ransomware operators that they search for softer targets to hit.
Organizations need to know what their critical systems are (including identity infrastructure such as Active Directory) before attacks occur and build resiliency into them. Prepare for the inevitable, because 90% of organizations have experienced at least one ransomware attack in the last two years. By preparing in advance, defenders can make their organizations so difficult to compromise that hackers will look for softer targets.
Sean Deuby, principal technologist, Semperis