Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Ransomware Group Reports Victim It Breached To SEC Regulators (arstechnica.com) 32

One of the world's most active ransomware groups has taken an unusual -- if not unprecedented -- tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission. From a report: The pressure tactic came to light in a post published on Wednesday on the dark web site run by AlphV, a ransomware crime syndicate that's been in operation for two years. After first claiming to have breached the network of the publicly traded digital lending company MeridianLink, AlphV officials posted a screenshot of a complaint it said it filed with the SEC through the agency's website. Under a recently adopted rule that goes into effect next month, publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a "material" impact on their business.

"We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules," AlphV officials wrote in the complaint. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules." The violation category selected in the online report was "Material misstatement or omission in a company's filings or financial statements or a failure to file."

This discussion has been archived. No new comments can be posted.

Ransomware Group Reports Victim It Breached To SEC Regulators

Comments Filter:
  • by Press2ToContinue ( 2424598 ) on Friday November 17, 2023 @11:04AM (#64012261)
    In an unprecedented twist of fate, it seems the dark web has gone corporate! AlphV, a ransomware group with a flair for drama, decided that mere data hostage-taking is passé. Now, they're doubling as the SEC's watchdogs. In a hilarious turn of events, these virtual vigilantes are holding MeridianLink accountable for not spilling the beans on their own cybersecurity fiasco. It's like watching Darth Vader join the Rebel Alliance for better healthcare benefits.

    Remember when hackers were content with just encrypting your data and asking for Bitcoin? Now, they're demanding compliance reports too! What's next, a ransomware group running for office on a platform of transparency and accountability? Or maybe they'll start offering cybersecurity consulting services - 'We hacked your network, and for a modest fee, we'll tell you how we did it.'

    This is like if Bonnie and Clyde had knocked over a bank and then filed a complaint about the bank's lack of security. It's the kind of irony that even Alanis Morissette couldn't make up. On the bright side, if this trend continues, we might just see a decrease in SEC violations – or at least an increase in the most bizarre compliance reports ever filed.
    • by jsonn ( 792303 )
      Pay us or Pay the SEC - pick your poison.
    • Or maybe they'll start offering cybersecurity consulting services - 'We hacked your network, and for a modest fee, we'll tell you how we did it.'

      Some are already there. While I work in cybersecurity, I enjoy sleeping so do not touch IR with a 10 foot pole. Some of my friends who do specialize in this space tell tales of working hand in hand with ransomware consultants and help desk staff to bring victims who paid back online in a secure manner. Direct quote from one: They have turned into security consultancies with very agressive sales departments.

      • by RobinH ( 124750 )
        Sorry, what does "IR" mean in this context?
        • by Anonymous Coward

          Intrusion Response

      • There are already cyber security consulting types paying dark web contractors to give them a heads up on companies that have just suffered a data breach. I know a person whose entire focus is reporting compliance and legal CYA that does this. There are things a company can do like joining an CISA ISAC that greatly reduces their legal exposure and they guide them through all the CYA stuff for the company and the officers. They don't even touch the technical remediation or recovery aspects but of course ha
    • On the bright side, if this trend continues, we might just see a decrease in SEC violations – or at least an increase in the most bizarre compliance reports ever filed.

      I doubt it. Have you ever heard of a c-suite exec. actually listening to experts in IT security? Not even on pain of public humiliation.

  • by Registered Coward v2 ( 447531 ) on Friday November 17, 2023 @11:35AM (#64012399)

    SEC: We have your complaint. We have a few questions. Please come to our office tomorrow..."

  • kannt typ now but thubs up

  • ... wearing a wedding ring to a strip club. The dancers see it and figure that I'm good for some juicy blackmail.

    And then the revelation: "What wife?"

  • I believe that is the expression for this.

  • by SomePoorSchmuck ( 183775 ) on Friday November 17, 2023 @02:21PM (#64012843) Homepage

    Yet another item from the Unintended Regulatory Consequences Department.
    SEC reporting requirements make ransomware groups stronger.

    Without reporting requirements, a company could tell the ransomers it is taking them a long time to gather enough money, or the decision to pay is bogged down in arguments among the Owners/Board/Lawyers, or other delaying tactics.

    With reporting requirements, your company now has an urgent deadline -- if you pay up immediately after receiving the ransom demand, you might still be able to sweep the whole thing under the rug without the breach becoming public knowledge. But if you try to string the ransomers along or refuse to pay, then the ransomers may not get the contents of your wallet, so instead they can kick you in the teeth as they run off with your gold watch.

  • >publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a "material" impact on their business
    But the rules can be bent, can't they? As in: it's not within 4 days of the breach, it's within 4 days of the determination that the breach will have material impact.
    At least, that's what I see being bandied about as the interpretation in the wild: not sure if that is how the SEC feels about the rule though, but that is the way the rule is being interpre

  • It is kinda cute that the ransomware gang thinks telling the SEC is even vaguely threatening. I can just imagine the victim quietly laughing while pretending to be scared or upset
  • Watch out for short sellers who bought before the intrusion was known.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...