Ransomware gangs increase the pressure in new ways

In November 2023, ALPHV/BlackCat tried applying a new type of pressure on a victim – filing an SEC complaint.

The US Securities and Exchange Commission (SEC) is charged with “protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation.” As part of these efforts, the SEC issues cybersecurity incident regulations that “provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors. “

According to sources online, the group stated that they breached MeridianLink’s systems on November 7 and stole company data without encrypting the systems. Apparently, MeridianLink did not respond quickly enough to ALPHV, to negotiate a payment in exchange for not leaking the stolen data. Due to this, around the 15^th of November. APLHV decided to file a complaint with the US Securities and Exchange Commission about the company not disclosing the incident that affected “customer data and operational information.” The SEC rule in question requires companies to disclose cybersecurity incidents “four business days after a registrant determines that a cybersecurity incident is material." The ‘four business days’ do not start when the breach occurs, but if/when the breach is determined to have a significant effect on the company’s bottom line.

ALPHV BlackCat allegedly files SEC complaint against MeridanLink for failure to file a cybersecurity incident.@Mandiant pic.twitter.com/DHEKLEo4DV

— Dominic Alvieri (@AlvieriD) November 15, 2023

Unfortunately for the group, the attempt to weaponize the new SEC disclosure requirements failed, because the rules were not in effect at the time. The rule change was set to take effect on December 15, 2023, over a month after the breach. MeridianLink confirmed the cyberattack and engaged a third-party team to investigate.

This follows multiple such problems that are created by these ransomware groups. To date, one of the worst such attempts was carried out in the US in February 2023. The same threat actors, ALPHV/BlackCat, attacked the Lehigh Valley Health Network (LVHN) and stole a significant amount of patient data. This data included photos and medical scan images of over 2700 patients, some with serious medical conditions like breast cancer. LHVN responded to the attack with a public statement that they would not pay a ransom. In March, news broke that a cancer victim was LHVN because ALPHV/BlackCat the personal information of patients, including nude pictures, medical scans, and other data belonging to this victim. There’s no guarantee that paying a ransom will lead to the desired result, and all law enforcement agencies discourage such payments. However, this is a reminder that not all data files are the same. Companies must protect this data better than they have done in the past.

In another evolution of this type of added pressure, the Hunters International ransomware group has now gone to some extreme lengths – swatting their victims. 

In this context, ‘swatting’ refers to the act of calling emergency services and reporting threat activity at a particular address. This threat activity is usually something like a bomb threat or domestic violence situation. The emergency response to the fake threat is upsetting and disruptive at best. Cybersecurity investigator and journalist Brian Krebs was handcuffed outside of his home after being swatted by cybercriminals, and many celebrities and public officials are swatted as pranks or for nuisance. The worst swatting incidents have cost people their lives.

Hunters International is a Ransomware-as-a-Service gang that emerged late last year. It is likely an offspring from the old Hive Ransomware gang that was disrupted by the FBI, and some journalists have speculated that Hunters International is still trying to prove itself to potential affiliates. Perhaps it’s that ambition behind the despicable tactic of targeting individual patients of the companies that have been breached. The gang has infiltrated healthcare organizations like Bradford Health Care and Fred Hutchinson Cancer Center. For Hunters International, it isn’t enough to extort the medical networks. The criminals go after individual victims in the breach, in one case asking a patient for $50 to remove their information from their leak site. Patients of Integris Health in Oklahoma have experienced similar extortion attempts.

This is a far cry from the LockBit Ransomware gang’s apology and free decryption keys offered to a children’s hospital that was attacked by a Lockbit affiliate.

This evolution has been coming for some time now. As more organizations take a hardline stance against paying ransoms and refusing to negotiate, the threat actors are going to continue to find new ways to gain a return on their “investments” and apply pressure in “innovative” ways to get their money.  There’s no reason to think these gangs will stop on their own.

Learn to Defeat AI-Powered Ransomware Attacks: The Keys to Fast Recovery

See this free, on-demand webinar to gain a thorough understanding of how ransomware is evolving. You’ll also find out why some organizations take weeks or months to recover, paying enormous costs in the process—and why others are able to recover quickly and completely, returning to normal operations in a few days at most.

Ransomware is a fact of life. But how you prepare and respond to it can make the difference between a major catastrophe and a minor annoyance.