Latest News

Double blow – Ransomware group denounces victims to American authorities

Written by Mark Molyneux, CTO for EMEA at Cohesity

The ransomware group AlphV says it has filed a complaint with the American Securities and Exchange Commission (SEC) because its victim, MeridianLink, did not report their successful attack that resulted in data loss. The pressure on companies is growing to structure their measures in the event of successful attacks.

On November 15th, the hacker group AlphV added the company MeridianLink to its own list of victims. The attack probably took place on November 7th. The group confirmed to the news portal Databreaches that it had reported the company to the American Securities and Exchange Commission (SEC).

Accordingly, AlphV wrote to the SEC: “We would like to draw your attention to a concerning issue regarding MeridianLink’s compliance with the recently adopted rules for disclosing cybersecurity incidents.” MeridianLink says it is investigating the cyber incident and possible consequences.

With this step, the ransomware group AlphV has broken new ground, highlighting the far-reaching consequences that companies can now expect if they are hacked.

This is effectively a quad-bubble ransomware attack: encrypt the data; exfiltrate and publish; harass the data subjects, and finally report to the regulator.

It is understandable that companies will want to initially downplay a successful break-in in order not to unsettle customers and the public, and to allow further time to investigate the incident in peace. However, with cybercriminals’ new manoeuvre, companies have less and less time to get their position in order, and further to this they will need to be more open than they may want to be, as the threat actors will not tone down their reporting. It is essential to modernise the processes and procedures in the event of an emergency in order to be able to react quickly.

Companies already have a very short time to investigate the cyber incident, assess the data that has been compromised, and provide an accurate report to the regulator. With threat actors now showing the will to report the breach themselves, together with evidence of the actual data encrypted or exfiltrated, companies will find themselves under increasing pressure to index, classify and secure data such that they can themselves provide accurate reporting, but more importantly, so they know what has been lost and how to quickly replace that from their vault system.

Synergies for enhanced cyber resiliency

Organisations should consolidate their disparate application data silos onto a single centralised data management platform that is based on a scalable hyper converged file system. In this case the data stored will be automatically analysed by the deduplication and compression functions to achieve the highest reduction rates across the organisation.

To protect stored data, such platforms take the Zero Trust model even further by implementing strict access rules and multi-factor authentication, encrypting the data automatically, both during transport and at rest, to further enhance security against cyber threats like ransomware. And it generates immutable backup snapshots that cannot be changed by any external application or unauthorised user.

These backup snapshots are analysed by AI-driven algorithms to identify indications of possible anomalies. These can be passed on to security automation tools from vendors such as Cisco or Palo Alto Networks, in order to examine the potential incident in more detail.

Finally, modern data management platforms also provide more insights from data analysis thanks to integrated classification. Organisations can better understand their compliance risks by getting visibility into their dark data, which according to Gartner affects between 55% and 80% of the data a company stores. They can decide with confidence whether to keep certain records or delete them with no risk.

All of these synergy effects found in a modern data platform enhance cyber resilience, reduce the operating and storage costs and help organisations to manage the growing volumes of their data in the long term.

The incident proves once again: Rather than the illusion of total cyber security, the focus must shift to operational cyber resiliency where organisations can effectively respond to and withstand attacks. While preventative measures are important, they’re table stakes, not the winning hand, when an organisation is fighting cyber-compromises. There is a very strong case for taking a modern approach to backup and recovery of data with a “‘identify / protect / detect / respond / recover’ setup”.