Ransomware Group Reports Victim It Breached To SEC Regulators

One of the world's most active ransomware groups has taken an unusual -- if not unprecedented -- tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission. From a report: The pressure tactic came to light in a post published on Wednesday on the dark web site run by AlphV, a ransomware crime syndicate that's been in operation for two years. After first claiming to have breached the network of the publicly traded digital lending company MeridianLink, AlphV officials posted a screenshot of a complaint it said it filed with the SEC through the agency's website. Under a recently adopted rule that goes into effect next month, publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a "material" impact on their business.

"We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules," AlphV officials wrote in the complaint. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules." The violation category selected in the online report was "Material misstatement or omission in a company's filings or financial statements or a failure to file."

Hackers Turn Compliance Officers

[Press2ToContinue]

In an unprecedented twist of fate, it seems the dark web has gone corporate! AlphV, a ransomware group with a flair for drama, decided that mere data hostage-taking is passé. Now, they're doubling as the SEC's watchdogs. In a hilarious turn of events, these virtual vigilantes are holding MeridianLink accountable for not spilling the beans on their own cybersecurity fiasco. It's like watching Darth Vader join the Rebel Alliance for better healthcare benefits.

Remember when hackers were content with just encrypting your data and asking for Bitcoin? Now, they're demanding compliance reports too! What's next, a ransomware group running for office on a platform of transparency and accountability? Or maybe they'll start offering cybersecurity consulting services - 'We hacked your network, and for a modest fee, we'll tell you how we did it.'

This is like if Bonnie and Clyde had knocked over a bank and then filed a complaint about the bank's lack of security. It's the kind of irony that even Alanis Morissette couldn't make up. On the bright side, if this trend continues, we might just see a decrease in SEC violations – or at least an increase in the most bizarre compliance reports ever filed.

Re:but fruit of the poisonous tree may just let th

[gabebear]

The legal "poisonous tree" is about evidence obtained through illegal conduct on the part of an government official is inadmissible.

e.g. if police break down your door without a warrant and discover your illegal cock-fighting-rink that discovery can't be used in court; but if a criminal breaks into your house and discovers your cock-fighting-rink the burglar's testimony is admissible in court.

Re:but fruit of the poisonous tree may just let th

[Shakrai]

The police can often use the inevitable discovery doctrine to get around fruit of the poisonous true. If you hung fliers for the illegal cock-fighting-ring all over town, soliciting bets on the next cock fight, you're probably screwed when you try to suppress the evidence they found with the unlawful raid. They can also usually keep evidence obtained unlawfully but through honest errors or omissions. Imagine they have a search warrant for the neighbors, evidence of drug dealing, but kick in your door by mistake and find your freezer full of dead bodies. You aren't likely to get that evidence suppressed.

On the criminal analogy, his testimony is admissible, but subject to cross examination. Any lawyer worth their salt could impeach the credibility of a career criminal that broke into your house. It'd probably only get you convicted if he went to the cops first, they secured a warrant, and came back with evidence, although even that could be attacked (did the criminal plant it?) in a way that might create reasonable doubt. If the criminal takes the evidence himself, now you have chain of custody issues, it might hold up if the cops can find some corroborating evidence themselves, but if the whole case is built around the criminal....

Re:

[hey!]

In the law, there are exceptions to rules, exceptions to the exceptions, and sometimes even exceptions to the exceptions to the exceptions.

If a someone breaks into your house and discovers your human trafficking operation, he can report that to the police and they can use that to get a warrants. Warrants are very commonly obtained with evidence obtained from criminals who know because of their illegal activities (e.g. buying drugs). But if that criminal who broke into your house is Batman, the evidence Ba

Re:

[Gibgezr]

Some judges do not like it when the police start using vigilantes as sources to get around privacy laws.

Re:

[christoban]

Batman works very closely with the police. They even have the bat signal on the top of the building.

so batman is an state actor must be why the villai

[Joe_Dragon]

so batman is an state actor must be why the villains keep getting out

Re:

[LifesABeach]

consider.
stating the rule and its application would have been useful.

Re:

[jsonn]

Pay us or Pay the SEC - pick your poison.

Re:

[slarabee]

Or maybe they'll start offering cybersecurity consulting services - 'We hacked your network, and for a modest fee, we'll tell you how we did it.'

Some are already there. While I work in cybersecurity, I enjoy sleeping so do not touch IR with a 10 foot pole. Some of my friends who do specialize in this space tell tales of working hand in hand with ransomware consultants and help desk staff to bring victims who paid back online in a secure manner. Direct quote from one: They have turned into security consultancies with very agressive sales departments.

Re:

[RobinH]

Sorry, what does "IR" mean in this context?

Re:

[Anonymous Coward]

Intrusion Response

Re:

[laughingskeptic]

There are already cyber security consulting types paying dark web contractors to give them a heads up on companies that have just suffered a data breach. I know a person whose entire focus is reporting compliance and legal CYA that does this. There are things a company can do like joining an CISA ISAC that greatly reduces their legal exposure and they guide them through all the CYA stuff for the company and the officers. They don't even touch the technical remediation or recovery aspects but of course ha

Re:

[VeryFluffyBunny]

On the bright side, if this trend continues, we might just see a decrease in SEC violations – or at least an increase in the most bizarre compliance reports ever filed.

I doubt it. Have you ever heard of a c-suite exec. actually listening to experts in IT security? Not even on pain of public humiliation.

SEC Response

[Registered Coward v2]

SEC: We have your complaint. We have a few questions. Please come to our office tomorrow..."

yup, i'm in

[Dr. Tom]

kannt typ now but thubs up

It's sort of like ...

[PPH]

... wearing a wedding ring to a strip club. The dancers see it and figure that I'm good for some juicy blackmail.

And then the revelation: "What wife?"

Public-private partnership

[gweihir]

I believe that is the expression for this.

This is about creating urgency to pay

[SomePoorSchmuck]

Yet another item from the Unintended Regulatory Consequences Department.
SEC reporting requirements make ransomware groups stronger.

Without reporting requirements, a company could tell the ransomers it is taking them a long time to gather enough money, or the decision to pay is bogged down in arguments among the Owners/Board/Lawyers, or other delaying tactics.

With reporting requirements, your company now has an urgent deadline -- if you pay up immediately after receiving the ransom demand, you might still be able to sweep the whole thing under the rug without the breach becoming public knowledge. But if you try to string the ransomers along or refuse to pay, then the ransomers may not get the contents of your wallet, so instead they can kick you in the teeth as they run off with your gold watch.

Wiggle room on 4 days?

[Gibgezr]

>publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a "material" impact on their business
But the rules can be bent, can't they? As in: it's not within 4 days of the breach, it's within 4 days of the determination that the breach will have material impact.
At least, that's what I see being bandied about as the interpretation in the wild: not sure if that is how the SEC feels about the rule though, but that is the way the rule is being interpre

How Nieve

[jythie]

It is kinda cute that the ransomware gang thinks telling the SEC is even vaguely threatening. I can just imagine the victim quietly laughing while pretending to be scared or upset

Keep an eye on stock trades

[bestweasel]

Watch out for short sellers who bought before the intrusion was known.

Re: Keep an eye on stock trades

[viperidaenz]

Why would you buy stocks *before* an event that would cause a fall?

Re: Keep an eye on stock trades

[bestweasel]

"short sellers" was your clue.