)
Cybersixgill recently observed a leading ransomware operation posting about an attack on its leak site and bragging about reporting the victim to U.S. regulators. According to the gang, the victim failed to report the attack in accordance with the law. This is the latest high-pressure tactic employed by ransomware operations, which regularly introduce new extortion strategies.
THE HEADLINE
In mid-November 2023, a well-known ransomware-as-a-service[1] (RaaS) operation introduced a new high-pressure tactic to embarrass victims and extract payments. The group announced on its dedicated leak site[2] (DLS) not only that it attacked a software development company, it claimed the victim failed to file Form 8-K,[3] which the Securities and Exchange Commission (SEC) requires after certain data breaches.
According to the ransomware gang, it reported the victim to the SEC for failing to disclose the breach, describing the omission as a violation of recently adopted SEC rules mandating public companies “to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K within four business days of determining such incidents to be material.” The gang accused the victim of failing to fulfill this obligation with regard to the recent breach, which allegedly occurred one week prior to the DLS post.
The SEC complaint is the latest extortion tactic introduced in the ransomware sector, where threat actors consistently develop new ways to pressure victims into pay ransoms. Previous tactics include referencing laws and regulations in ransom notes, such as the General Data Protection Regulation[4] (GDPR), which prohibits disclosure of private information. In addition, ransomware gangs frequently threaten to inform victims’ customers, employees, and partners about attacks, ostensibly to embarrass victims and expose less than optimal security practices. Similarly, ransomware gangs have also doxed[5] (and threatened to dox) executives and their family members. This creates the additional threat of identity theft and harassment, which can also increase pressure on cyber attack victims to pay ransoms.
DIVING DEEPER
Cybersixgill collected the DLS posts related to the aforementioned ransomware attack, which did not initially contain any leaked data. Instead, the terse post included only a threat, giving the victim 24 hours to make a ransom payment, after which it said the data would be published in its entirety.
In a subsequent post from the blog section of the DLS, the gang added screenshots from the SEC website, ostensibly as proof that it had filed the complaint. In addition to explicit threats, the gang also included a mini-dox at the end of the post, including the names and email addresses of the victim’s executives and family members. This step seemed designed to open the door to harassment or other malicious activities for company officials and their family members.
TAKEAWAYS
Ransomware gangs continue to introduce new extortion strategies to pressure, shame, and intimidate victims. While doxing company officials is not a new tactic, filing SEC complaints that accuse victims of failing to make Form 8-K disclosures appears to be a new strategy. While it remains to be seen whether the tactic will catch on or succeed in pressuring victims to pay ransoms, it appears that cybercriminals will continue to think out of the box with regard to extortion strategies.
[1] Ransomware-as-a-Service (RaaS) operations provide malware to affiliates using an SaaS-like model. With RaaS tools, even those with little technical knowledge can launch ransomware attacks by signing up for a service.
[2] A dedicated leak site (DLS) is a website on which threat actors publish stolen data during ransomware attacks.
[3] Publicly traded companies in the U.S. are required to make Form 8-K SEC filings to report significant events or corporate changes deemed material to investors.
[4] As its name implies, the General Data Protection Regulation is the primary source of data protection and privacy law in the European Union and the European Economic Area. If corporate data is leaked by a ransomware gang, the targeted company may be entitled to heavy fines by the GDPR, among other legal issues.
[5] Doxing (also spelled doxxing) is a type of online harassment that involves sharing information (such as real names, addresses, job titles, or other identifying data).
)
)
)
)