Does your organization monitor the clear, dark, and deep web for threat actor activity? Dark web monitoring is sometimes considered a hit-or-miss exercise, but we recommend it for the threat intelligence and breach response insights it provides. For the last blog in our incident response series, we’re exploring cybercriminal extortion, PR, and negotiation tactics so if worst comes to worst, your organization is prepared.
Loss aversion and ransomware negotiations
Marketing and sales talk about loss aversion as a deal acquisition tactic. Most ransomware groups leverage this tactic through a fully-fledged PR arm, ready to publicly shame victims into avoiding greater disclosure of private or valuable information.
Monitoring the deep and dark web
Threat actors want to earn respect and establish credibility on the dark web. One of the quickest ways to gain both is by listing an organization you claim to have successfully breached on your leaks page or advertising stolen data on dark web markets.
With the right dark web monitoring tool, your organization may be able to monitor threat actors who claim responsibility for the data breach, what stolen data the threat actor has put up for sale, and even how much interest other threat actors are giving the stolen data.
Ask What data did they steal?
If threat actors are attempting to sell your data on the dark web, they will likely describe what data they stole, provide samples of the data, and attempt to generate interest with potential buyers. This could reveal the extent of the malicious access. For example, an organization may exclusively keep intellectual property (IP) in an on-premises data center. If the threat analyst identifies a cybercriminal is in possession of the IP housed in the data center, chances are the data breach impacts more than just the organization’s cloud environment.
Notice victim + theft disclosure
Threat actors often don’t list a victim on their dark webpage immediately. Publicizing the victim now attempts to restart conversations at the negotiating table. This actually allows your PR team some time to deliberately plan for messaging to the broader public. Security journalists, writers, and other organizations monitor victim pages and will likely reach out for comments if they see your organization listed.
Depending on your organization, the media will publish whatever information is available to them, whether it comes from you or the victim page. If the threat actor beats you to public disclosure of a security incident impacting your organization, you have unfortunately ceded control of the narrative at the cost of your reputation.
Case study: ALPHV, BlackCat, and MGM Hotels and Casinos
ALPHV and BlackCat recently made the news for breaching a LA casino giant, MGM. From ALPHV’s publicized ransom note, we surmise a threat actor breached MGM through social engineering tactics against IT admins before deploying ALPHV’s ransomware-as-a-service (RaaS) tool and handing over the encrypted network to ALPHV for negotiation. Notice key extortion tactics within ALPHV’s approach:
- Discredit the victim’s credibility
It’s nearly impossible for MGM to push back against ALPHV’s statement. Not only is MGM accused of unethical behavior, but the only option to rectify their alleged misuse of customer data is by coughing up the payment to ALPHV. Note the below quote from the ransom statement:
“We believe MGM will not agree to deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?”
- Advertise the breadth of access stolen
ALPHV emphasizes throughout the ransom statement the obvious: their RaaS tool locked up a multi-billion-dollar company. Not only can MGM pay, ALPHV thinks MGM deserves the punishment. Even before ALPHV ransomware was involved, the instigating threat actor had broad access to nearly all of MGM’s infrastructure through very simple social engineering tactics.
- Reference evidence of breach
Notice ALPHV didn’t simply post MGM to its dark web page victim list. Instead, their statement reminds readers “No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.” It might seem an unimportant note at first glance, but that reference actually bolsters ALPHV’s involvement in the hack. ALPHV typically avoids direct attempts breach, instead rendering the victim’s network beyond saving after persistence is already established.
Do not negotiate with extortionists
CISA emphasizes an important point: never negotiate with ransomware groups. Like the example above demonstrates, extortionists will stop at nothing to shame, pressure, and manipulate victims to pay ransoms. Security teams need visibility into the dark web post-data breach to fully understand the extortion tactics deployed against your company.
Modern SecOps and incident response
At Ascent Solutions, our team embraces Modern Security Operations in all aspects of protecting our customers and our own environment—including an incident response. At Ascent Solutions, our proprietary Cy:lent software is the hub we use to curate timely and relevant information ready to be operationalized within our Modern SOC.
If you are interested in deep or dark web monitoring services, let our experts assist you. Reach out to info@meetascent.com for more information.
