ALPHV gang just upped the ransomware stakes with one cheeky and outrageous move

There have been more leaks of stolen data by ransomware groups this year than across the entirety of 2022, according to new research from WithSecure. Alongside this growth comes a switch in ransom-leveraging tactics, with ransomware groups no longer simply relying on victims not having suitable data recovery systems in place and coughing up the money.

We’ve seen tactics evolve in recent years to include denial of service attacks after the initial data exfiltration and encrypting exploit, as well as data leaking.

But now the ALPHV/BlackCat group has taken things one step further by reporting a victim to the US Securities and Exchange Commission (SEC).

ALPHV exploits SEC ruling

In a move as bold as it is outrageous, the infamous cybercrime outfit has sought to use a new SEC ruling in order to pile more pressure on the victim, digital lending platform MeridianLink, to pay up.

Item 1.05 of Form 8-K requires public companies such as MeridianLink to disclose material cybersecurity incidents within four business days.

However, this rule isn’t set to take effect until December.

ALPHV said it reported this non-compliance as it was “involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission”.

As you might have guessed, this follows MeridianLink’s apparent failure to engage with the criminals over the ransom demand.

What the experts say

“Using the threat of filing a ‘failure to report’ complaint against its own victim to the SEC is a compelling tactic that could weaponise a government regulation for a cybercriminal group’s benefit,” says Patrick Tiquet, VP Security & Architecture at Keeper Security.

“With the new SEC disclosure going into effect in mid-December, we will surely see an increase in hackers leveraging this as an extortion tactic to humiliate their victims and guarantee payment is made,” Darren Williams, CEO and Founder at BlackFog, warns.

“The added levels of embarrassment from hackers exposing organisations’ failure to follow regulations and remain transparent with their customers and partners, should give them all the more reason to avoid delayed reporting and hopefully eliminate this new extortion tactic.”

He adds: “Misuse of the new SEC rules to put additional pressure on publicly traded companies was foreseeable, moreover, ransomware actors will likely start filing complaints with other US and EU regulatory agencies when the victims fail to disclose a breach within the timeframe provided by law.

“Not all security incidents are data breaches, and not all data breaches are reportable data breaches,” argues Dr Ilia Kolochenko, Chief Architect at ImmuniWeb and Adjunct Professor of Cybersecurity & Cyber Law at Capitol Technology University.

“Therefore, regulatory agencies and authorities should carefully scrutinise such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence, otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyse their work.”

Additional cybersecurity coverage

• LockBit ransomware: its history, its present and why you must be ready for it
• WannaCry ransomware: lessons to learn in 2023