18 November 2023

Well, This is New

One of the world's preeminent ransomware gangs, AlphV, hacked digital lender MeridianLink, something that has become rather commonplace lately.

What AlphV also did was report the lender to the Security and Exchange Commission for not reporting this hack.

This is actually kind of interesting.

Now, not only will they make your data inaccessible, they will rat you out to the authorities if you do not pay:

One of the world’s most active ransomware groups has taken an unusual—if not unprecedented—tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission.

The pressure tactic came to light in a post published on Wednesday on the dark web site run by AlphV, a ransomware crime syndicate that’s been in operation for two years. After first claiming to have breached the network of the publicly traded digital lending company MeridianLink, AlphV officials posted a screenshot of a complaint it said it filed with the SEC through the agency’s website. Under a recently adopted rule that goes into effect next month, publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a “material” impact on their business.

“We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules,” AlphV officials wrote in the complaint. “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

As noted, the rule hasn’t yet gone into effect, so even if the breach meets the legal definition of a material event, it’s not likely MeridianLink would be in violation. That said, AlphV is likely capitalizing on the industry-wide anxiety caused by the SEC’s recent decision to sue the chief information security officer of SolarWinds. The SEC alleged the SolarWinds executive misled investors about the company’s cybersecurity practices before a 2020 cyberattack by Russian hackers who then went on to infect 18,000 SolarWinds customers with malware.

I guess it's another way that they can exert leverage against their victims, so this was inevitable.

Still, it's a bit ironic.


Post a Comment