The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack:
Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.
MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.
According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink's network on November 7 and stole company data without encrypting systems.
The ransomware actor said that "it appears MeridianLink reached out, but we are yet to receive a message on their end" to negotiate a payment in exchange for not leaking the supposedly stolen data.
The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted "customer data and operational information."
[...] In their own words, the attacker told the SEC that MeridianLink suffered a "significant breach" and did not disclose it as required in Form 8-K, under Item 1.05.
The SEC's new cybersecurity rules are set to take effect on December 15, 2023.
Originally spotted on Schneier on Security.
Related: Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments
« From Toy to Tool: DALL-E 3 is a Wake-Up Call for Visual Artists—and the Rest of Us | Russia's Alt OS Adds Support for China's LoongArch CPUs »
Related Stories
What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.
[...] All four companies have confirmed succumbing to security incidents in recent days, and China's ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.
[...] After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don't trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.
(Score: 3, Insightful) by Opportunist on Monday November 20, @10:00AM (10 children)
But with a hint of luck, this may "motivate" others who get hacked to report it.
(Score: 3, Insightful) by Rosco P. Coltrane on Monday November 20, @10:32AM (9 children)
Really?
How about it motivates them to do a better job at not being hacked in the first place?
Being hacked isn't unavoidable.
(Score: 4, Insightful) by HiThere on Monday November 20, @02:02PM (8 children)
Actually, it probably *is* impossible for a business with any web presence at all to guarantee that it hasn't been hacked. What they *can* do is unsure than any sensitive information isn't leaked over the internet. (That still won't protect against disgruntled employees.)
So most places could do a much better job, but perfection doesn't exist in this universe. At least not on the macro level. (Perhaps quantum interactions *are* perfect, in some sense of the term.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by Opportunist on Monday November 20, @02:23PM (7 children)
It's not. It's basically my job to keep a company from getting hacked. 10 years and counting, and not for a lack of trying by the other side.
It's possible to be secure. It's just very, very expensive.
(Score: 4, Insightful) by Freeman on Monday November 20, @04:07PM (4 children)
You'd be hard pressed to avoid all pitfalls. Sometimes pure luck is involved. I.E. Oh, good thing I didn't buy that thing that's had a backdoor in it since the thing was produced.
Not saying that you're not doing a great job or that the company you're working for isn't doing a good job at paying for the security. What I am saying is that at a certain level it's all about trust and trusting the right things at the right time.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Funny) by maxwell demon on Monday November 20, @05:21PM
Actually it is easy to prevent your computers from being hacked. Just never switch then on, and instead put them into a safe which triggers a nuclear bomb if someone tries to open it. :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by Opportunist on Monday November 20, @05:47PM (2 children)
The trick here is to use an onion model of security. You don't rely on a single piece of hard- or software, you rely on layers. So even if one of them is compromised and it turns out that it contained a backdoor, the next layer kept the maker from using that backdoor and even if somehow this could have been overcome, all they would have seen is the next door in the row.
The trick here is to choose your layers sensibly.
(Score: 0) by Anonymous Coward on Tuesday November 21, @03:42AM (1 child)
(Score: 3, Touché) by Opportunist on Tuesday November 21, @06:45AM
That's the beauty about not being in the US, the SEC can SUC me off.
Snide comments aside, of course we have something similar but the reporting requirements only spell out that you have to report an actual security breach that resulted in a possible access of sensitive data. If you bloody your nose on my third wall because you overcame the first two, you're still far from that.
(Score: 2) by looorg on Monday November 20, @05:35PM (1 child)
Are you secure tho? Or is it just that you are hard enough that other easier targets become more tempting and worthwhile?
(Score: 5, Insightful) by Opportunist on Monday November 20, @05:44PM
Security is always only "good enough". Simply by virtue of having to put more and more effort into less and less reward. It's the usual 80/20 game. And yes, as long as there's plenty of juicy targets not even putting in the 20% effort for the 80% security, there's no need for you to cough up the 80% dough for the remaining 20% security.
I do know though, that we can and do put up way more than the usual 80%. And yes, I think it has been necessary already in the past. For sure? Who knows. Security is one of those things where you'll never know if you had enough. But you'll know for sure if you had too little.
(Score: 2) by VLM on Monday November 20, @09:16PM
Under the new rules it's fairly plausible they could get whistleblower money from the SEC, for reporting the company they hacked for not reporting the company was hacked.
They're still paying a bribe to people who hacked them its just the usual middlemen are trying to middleman even that 'trade' now.
There's a financial reporter-type due matt levine or mike levine or something like that who continually harps on "everything is securities fraud" mostly because the SEC kinda agrees with that interpretation, LOL.