getty images

One of the world’s most active ransomware groups has adopted an unusual – if not unprecedented – tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission.

The pressure tactics were revealed in a post published Wednesday on a dark web site run by Elfvi, a two-year-old ransomware crime syndicate. After claiming to have breached the network of MeridianLink, the first publicly traded digital lending company, Elfvi officials posted a screenshot of a complaint they said they filed with the SEC through the agency’s website. Was filed with. Under a recently adopted rule that goes into effect next month, publicly traded companies must file SEC disclosures within four days of becoming aware of a security incident that had a “material” impact on their business. Was lying.

“We would like to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted Cybersecurity Incident Disclosure Rules,” Elfvi officials wrote in the complaint. “It has come to our attention that MeridianLink, in light of a significant breach that compromised customer data and operational information, has failed to file the required disclosure under Item 1.05 of Form 8-K within the prescribed four business days, As per the new order. SEC Rules.”

The violation category selected in the online report was “Material misstatement or omission in the company’s filings or financial statements or failure to file.”

Wednesday’s dark web post also included an automated response from the SEC acknowledging receipt of the complaint.

As mentioned, the rule has not yet gone into effect, so even if a breach meets the legal definition of a material event, it is unlikely that MeridianLink will be in violation. As noted, Elfvi is taking advantage of the industry-wide concern generated by the SEC’s recent decision to sue SolarWinds’ chief information security officer. The SEC alleged that a SolarWinds executive misled investors about the company’s cybersecurity practices before a 2020 cyberattack by Russian hackers, who subsequently infected 18,000 SolarWinds customers with malware.

MeridianLink officials declined a request for an interview or to answer questions asking whether customer data was breached in the network intrusion or whether there was any security attack that could be considered significant. Instead, the company released a statement confirming that officials had identified a “cybersecurity incident” and adding:

Upon detection, we took immediate action to contain the threat and appointed a team of third-party experts to investigate the incident. Based on our investigation to date, we have found no evidence of unauthorized access to our production platforms, and this incident has caused minimal business disruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.

Brett Callow, a security analyst at Emsisoft, said a ransomware group called Maze had previously warned victims that it “maintains communication with major securities and financial regulators and will respond to all data leaks and breaches if the compromise is not resolved.” Will accept them.” ,

“I’m not sure if he ever actually did it,” Callow told Ars. “The gangs have also threatened GDPR complaints and, IIRC, someone may have actually followed through on that.” He said he was not aware of any group filing a complaint with the SEC. GDPR is short for the General Data Protection Regulation, a European Union law that provides comprehensive privacy protections to individuals.

AlphV first surfaced in November 2021 and is notable for its use of a ransomware called BlackCat, which is developed in the Rust scripting language. The group targets both Windows and Linux environments.

Geopolitical and cybersecurity analyst Chris Lucas wrote in May, “By April 2023, ALPHV has developed itself into one of the most prolific ransomware groups in the current threat landscape, trailing only Lockbit in activity observed.” Ransomware is behind the group.” “While being a primarily Russia-based group, ALPHV will not target organizations based in the Russian Federation or the rest of the Commonwealth of Independent States (CIS) that made up the former Soviet Union.”

The group was already known for its unusual practice of threatening to launch distributed denial-of-service attacks on targets it had already compromised in an attempt to apply additional pressure for payment.

MeridianLink shares fell 0.2 percent, or 4 cents, to $18.51 in Thursday trading.

Source: arstechnica.com