In what is being described as the latest move in ransomware extortion, the group ALPHV, AKA BlackCat, reported their own crime to the US Securities and Exchange Commission (SEC). ALPHV filed a complaint that MeridianLink — the digital lending company — failed to report a security incident. The spin? ALPHV was behind the incident itself.
”BlackCat has opened Pandora’s box — it’s clear we’ve entered the age of criminals weaponizing regulators against compromised organizations. Whether these reports are simply used to enforce standards or used to further victimize these organizations will be entirely up to regulators. The cybercriminals are watching, regulators need to tread very carefully.”
A New Extortion Technique and the First of Many Attacks To Come
“Psychological operations (PsyOps) in cybercrime are strategic tactics that manipulate a target’s perceptions, emotions, reasoning, and behavior to achieve specific goals.
“These operations have long been a tool for cybercriminals, used to instill fear, urgency, and confusion, often to expedite ransom demands or disrupt operations.”
Williams added that this will not be the last time the industry sees this rare and new extortion technique.
“By reporting their own intrusion to the SEC, BlackCat took the next logical step in incentivizing extortion payments by directly notifying a regulator of a victim who had failed to notify themselves.
“We should expect other cybercriminal groups to take similar measures with the SEC. Cybercriminals will also likely threaten privately held organizations with extortion by reporting data theft to other regulatory bodies as applicable.”
ALPHV first launched a successful ransomware attack on MeridianLink and then put pressure on the company by filing a complaint with the SEC. Like any other public company, MeridianLink (NYSE: MLNK) is bound by law to disclose all significant cybersecurity breaches to the SEC within four days.
ALPHV ran a blog on their leak site. The title of that blog post was disturbingly honest.
“MeridianLink fails to file with the SEC…so we did it for them. + 24 hours to pay.”
ALPHV included screenshots of the SEC complaint in their blog post. In a statement sent to DataBreach, MeridianLink responded by minimizing the attack and claiming they had acted immediately and contained the threat.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
Claiming that the attack was not impactful allows for a new SEC rule, which does not make it mandatory to report security incidents of minor impact.
But MeridianLink went even further and questioned the legality of the SEC law itself in the present day. “The new SEC reporting rule doesn’t go into effect until December 15,” the company said.
We followed up with Parnes, who agreed that this would not be the last time this technique would be used.
“The recent activity of ALPHV/BlackCat ransomware group against MeridianLink is only the first example of what is expected to be a trend in the coming months. ALPHV has sophisticatedly integrated legal and regulatory frameworks into its psychological warfare strategy.”
Parnes argued that companies must be prepared to respond effectively with security incident plans, be equipped to counteract misinformation and be capable of managing psychological pressure tactics.
But in light of events, it could be argued that it is always simpler to report the incident in the first place.
What Should the SEC’s Policy on Criminals Reporting Their Own Attacks Be?
If ransomware gangs are going to use the law to put pressure on organizations to pay a ransom and deploy more effective attacks, what should the SEC do? Parnes spoke to Techopedia about this paradoxical scenario.
“The SEC should indeed have a stance on ransomware groups reporting their own crimes, and it would be prudent for them to discourage this type of behavior.
“Allowing ransomware groups to exploit regulatory mechanisms for their own gain is counterproductive to the SEC’s mission of fostering a secure and resilient digital environment for the corporate sector.
Parnes added that the SEC rule is intended to promote transparency and accountability and should not inadvertently incentivize cybercriminals to use it as a tool for extortion and manipulation.
“Finding a balance between reporting requirements and discouraging criminal behavior should be a priority to ensure the effectiveness of regulatory measures.”
While most cybercriminals would avoid making any kind of contact with law enforcement, some are known for pushing the envelope. Aggressive and bold organizations like ALPHV do not seem to hesitate to report their own crimes or even consider the risk of exposure high.
“The bold move by the ransomware group highlights not only their advanced resources and technologies but, more importantly their advanced modus operandi.
“These cybercriminals are not limited to exploiting technical vulnerabilities alone; they are also adept at manipulating human psychology, legal frameworks, and regulations to advance their malicious objectives.”
The Power of Transparency
IT and security teams live in a world where powerful cybercriminal syndicates and nation-state-supported ransomware gangs with endless resources constantly evade law enforcement and intensify attacks year after year. These gangs will stop at nothing and are now even using laws in their favor.
The question is clear: What can organizations do? The answers may not be that complex. A layered security framework, robust security incident response plans, zero-trust architectures, and proper training are still the way to go.
While the SEC should undoubtedly find a way to discourage ransomware gangs from filing complaints, companies could easily bypass this extortion scam by simplifying reporting the security incident, especially when they are legally compelled to do so.
Businesses that continually fail to report ransomware attacks for fear of reputation damage or bottom-line impacts and refuse the help that law enforcement agencies like the FBI or the NSA can provide when hit by a cyber attack are merely giving attackers everything they need to cause greater damage.
In ransomware, as well as in any other cybersecurity incident, organizations can leverage transparency. Customers, the public, and stakeholders value it. Transparency is always the key to malicious actions, building trust and reputation, effective communication and resolutions, and strong accountability.