On Nov. 7, the ALPHV ransomware group targeted the network of financial services company MeridianLink and, according to the group, stole files.
No encryption was involved but, the group claims, MeridianLink was aware that the attack had happened. A communication took place between the attackers and the company, but no ransom was paid.
So far, this will sound very similar to many ransomware attacks today. However, what the ransomware criminals did next departed from the usual script.
In an innovative tactic, ALPHV reported the publicly quoted MeridianLink to the U.S. Securities and Exchange Commission (SEC) on the basis that the company had not filed a notification to the SEC of a cybersecurity incident within a required four-day window.
According to news sites covering this story, this was done through the SEC’s tips, complaints, and referrals page, a whistleblowing reporting system which gives insiders a channel for reporting alleged wrongdoing.
Extortion Criminals Turned Whistleblowers?
You wouldn’t normally think of extortion criminals qualifying as whistleblowers, but in this incident they appointed themselves to that role. As ALPHV wrote in its “complaint” to the SEC:
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.
It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
Notice the phrase “as mandated by the new SEC rules.” Clearly, these criminals have noted the existence of the rules and think they know a reporting misstep when they see one.
In fact, the SEC rules referred to in this statement don’t come into force until Dec. 18, after which all but the smallest publicly quoted companies in the United States will indeed be compelled to report “material” cybersecurity incidents to the SEC within four days.
Free Publicity
Even assuming the group’s claim stacks up (MeridianLink has since said it found “no evidence of unauthorized access to our production platform” in which case there was nothing for it to report), it’s unlikely the company would face any sanctions.
The SEC published its final draft of the rules in July, which doubtless caused some panic in the boardrooms of affected companies. But organizations have yet to fully digest what the rules mean in different scenarios, not least because defining what is material and therefore reportable will not always be easy to define.
If ransomware groups think the SEC rules can be exploited to put pressure on victims, they’re likely to be disappointed. First, it’s hard to imagine that a company would pay a ransom to keep a reportable incident quiet when the possible SEC penalties for that exceed the likely ransom.
Second, even companies willing to pay would be unlikely to do so within four days. Few ransom negotiations are conducted by large companies that quickly. Ironically, far from acting as a clever new way of persuading victims to pay up, the tactic of threatening to report a company to the SEC could simply provide even more incentive to comply with the rules. If only every new regulatory regime could hope for such valuable and eye-catching publicity.
