Last Week in Ransomware: 11.20.23

Written by
Published on
Nov 20, 2023

Last Week in Ransomware News we saw BlackCat/ALPHV abusing SEC breach reporting rule for double extortion, ransomware gang leaking data despite ransom paid, and LockBit dumping gigabytes of exfiltrated Boeing data...

Boeing's Sensitive Data Exposed

Boeing, a global aerospace giant, faced a significant cybersecurity breach in late October. The LockBit ransomware gang, responsible for the attack, threatened to expose a substantial amount of sensitive data if Boeing did not meet their ransom demand by November 2.  

The attackers, true to their word, published a large portion of exfiltrated data on October 27, initiating a countdown for negotiations. Despite Boeing being temporarily removed from the LockBit leaks site, the company reappeared on November 7, accompanied by approximately 4GB of sample data.  

On November 10, LockBit released all the exfiltrated data, including configuration backups and logs for IT management tools, raising concerns about potential vulnerabilities in Boeing's systems.  

The situation underscores the increasing convergence of cybercriminal activities with potential national security implications, especially when targeting entities like Boeing within the Defense Industrial Base.

A concerning trend emerges as ransomware attacks, possibly supported or controlled by state actors, blur the lines between cybercrime and national security events. The apparent ties between notorious ransomware groups like LockBit and the Russian government raise questions about the extent of state involvement.  

While the ambiguity in attributing attacks complicates responses, there is a growing need to address these incidents as potential acts of state-sponsored terrorism.

Law enforcement, traditionally responsible for handling cybercriminal activity, faces limitations in addressing the complex nature of these attacks when they encroach into the national security space.  

The U.S. Department of Defense has recognized cyberspace as a distinct domain of conflict, necessitating a strategic approach to defend against and engage with malicious actors.  

Until decisive action is taken against state actors supporting ransomware operations, the spate of attacks on critical infrastructure and national security targets is unlikely to abate.

READ MORE HERE's Ransom Negotiation Failure

In a separate incident,, a platform providing on-demand moving and delivery services, fell victim to a ransomware attack. Despite the company's agreement to pay the ransom, the attackers, dissatisfied with the amount, proceeded to publish the stolen data.  

This scenario exemplifies the increasingly prevalent tactic of double extortion, where threat actors not only demand a ransom to decrypt data but also threaten to expose exfiltrated information.

The Biden administration's recent summit encouraging non-payment policies for ransomware attacks underscores the complexity organizations face. While refraining from paying a ransom aligns with discouraging criminal activity, the decision involves intricate considerations.  

The real-world implications of non-payment, such as potential legal liabilities and loss of investor confidence, create a challenging landscape for victim organizations.


BlackCat/ALPHV's Malvertising and Automation

Another ransomware incident involving a BlackCat/ALPHV affiliate showcases the evolving tactics employed by attackers. Leveraging malvertising, the attacker delivered a ransomware payload disguised as legitimate software downloads.  

The use of advanced techniques like DLL side-loading and Living-off-the-Land methods highlights the adaptability of ransomware operators, often observed automating aspects of their attack sequences.

Ransomware operators continue to evolve, evident in the increased exploitation of vulnerabilities, application of advanced techniques, and automation of attack sequences.  

The Cl0p ransomware gang's efficiency and speed in compromising organizations highlight the urgency in developing robust cybersecurity strategies. The blurred lines between cybercriminal activities and nation-state-supported operations necessitate a more coordinated and assertive response from governments.


ALPHV/BlackCat's SEC Rule Exploitation

In a twist to the double extortion tactic, the ALPHV/BlackCat ransomware gang exploited the SEC's reporting rule by submitting a complaint against a victim organization for alleged non-compliance.  

While this new tactic is not surprising given ransomware and data extortion threat actors have zero conscience and are only motivated by profit, it does highlight yet another issue with the SECs ill-advised plan.

What does the government do when they can’t protect organizations against increasingly disruptive ransomware campaigns that are for the most part just state-sponsored cyber-terrorism attacks?  

They re-victimize the victims of these attacks so they can pat themselves on the back and say they are doing something to address the problem. In reality, they are just making the problem worse for the victims.

This new approach further complicates the landscape, raising questions about the unintended consequences of regulatory frameworks. It’s not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely have to, and this has the potential to negatively impact security operations.

Worse yet, we now see how these new SEC rules can be abused by attackers to compel victim organizations to pay ransom demands, which is completely counter to what other agencies in the US government are strongly advocation – to never pay a ransom demand.

READ MORE HERE is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.