The cybercrime group Volcano Demon calls the executives of the victim company directly as soon as they have successfully broken in and encrypted data. They immediately apply massive pressure to quickly obtain more ransom money. This new ransomware tactic has reached a further level of escalation says Mark Molyneux, EMEA CTO at Cohesity.
According to analyses by security provider Halcyon, the Volcano Demon group is responsible for numerous successful attacks in the past three weeks. Instead of listing the victim company on its own leak site as usual, the actors in the Volcano Demon group call managing directors and IT managers using unidentifiable caller ID numbers. The calls are aggressive in tone and the actors threaten the executives with making data public and attacking customers and employees. These are real threats that carry weight, as the group also exfiltrated data to use to support their demands.
As the attack on the British healthcare provider Synnovis showed, the attackers misuse stolen data to harass customers. Their aim is to put more pressure on the target company and extort ransom. Stolen patient data was published at Synnovis.
The spectrum of tactics is expanding and victim companies must expect a wide range of consequences in moments of great stress. Last year, the ransomware group AlphV reported a targeted company to the US Securities and Exchange Commission (SEC) because it did not want to pay. This way, the company should at least atone for the rule violation and pay fines.
This had never happened before and shows the continuing evolution of ransomware gangs business models to maintain pressure on the victim organisations. With this new mechanism, criminal actors are using the threat of potential regulatory fines as an additional incentive for those who fall victim to their attacks to pay the ransom.
This is practically a quadruple blow to the victims: First the data is exfiltrated, its encrypted, and the stolen data published. The company managers are threatened, customers and employees are finally harassed, and in the end the victim could be reported to the regulator.
Why are ransomware groups choosing this new method?
The route through the authorities is powerful, because new requirements such as NIS 2.0 and the changes to the SEC statutes force companies to report successful cyber attacks and possible consequences within a tight deadline. The new SEC regulations go into effect on December 15th and give victims four days. In the EU, Great Britain, South Africa and Australia, companies only have 72 hours to do this, and in Singapore and China only 24 hours.
We expect hacker groups to use every possible means to obtain ransom money and that reporting to the authorities is the last step in a multi-stage blackmail attempt. It is the ultimate last act to drag the victim into the public eye when the ransom negotiations have failed as a deterrent to other future victims from holding out against paying the ransom. This is further evidenced by the fact that for decades we have seen data exfiltration attacks where the perpetrators have chosen to sell the stolen data rather than threaten to publish it if a ransom isn’t paid.
It is understandable that companies initially want to conceal a successful break-in so as not to unsettle shareholders, customers and the public. With this new manoeuvre by cyber criminals, IT staff have less and less time to investigate their situation. In addition, they now have to go public sooner than they might like, and they need to know quickly exactly what has been stolen. In order to be able to react quickly in an emergency, it is essential to modernise processes and procedures.
In addition, companies already have very little time to investigate cyber incidents. They have to work out which data has been compromised by attacks and what value it has. They have to explain this to the regulator in a detailed report. As cybercriminals now show a willingness to report the breach themselves, companies will come under even more pressure.
It is therefore essential that companies already know their exact data and have classified it according to its value. Only then can the reports be created quickly and accurately and, more importantly, lost data can be quickly restored from an isolated vault system.
The incident proves once again: Instead of chasing the illusion of complete cyber security, companies should shift their focus to Cyber Resilience. Only then will they be able to respond to attacks effectively and survive them. Preventative defences remain important, but in the age of modern cyber weapons, it is more critical to compensate for a successful strike by the adversary with modern approaches to securing and recovering data – with a modern concept that delivers the important disciplines of “identify/protect/detect/respond/recover”.
