Yet another way for ransomware gangs to extort you

I have written about three of the ways ransomware hackers can extort you in my Ransomware Primer Mini-Series:

  • Encrypt your information and “sell” you the encryption key.
  • Steal your data and threaten to sell it on the Dark Web or release it into the public domain unless you pay up.
  • Contact the owners of the data they have stolen and inform them that their personal information is at risk unless you pay the ransom, so putting more pressure on you to pay.

Now the ALPHV/BlackCat ransomware gang has come up with yet another method to get organisations to pay their ransoms. In the US there is a legal obligation for publicly traded companies to notify the U.S. Securities and Exchange Commission (SEC) of any cyber attack within four days. Because ALPHV/BlackCat did not get any reply from one of it’s victims, MeridianLink a publicly traded company, the hackers reported MeridianLink to the SEC, using the SEC’s web form for failing to report a breach within the four days.

Ransomware gang files SEC complaint over victim’s undisclosed breach (bleepingcomputer.com)

Yet another way to exert pressure on an organisation to pay up.

Obviously this is a US specific extortion route but it could equally be applied to the 72 hour reporting rule here in the UK.

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

Responding to a cybersecurity incident (ico.org.uk)

Ransomware – A Primer