AlphV’s bid to report its victim to the SEC could backfire

Illustration: Si Weon Kim

The ransomware group AlphV reported a victim to the SEC for failing to report a cybersecurity incident, placing government regulators in a precarious position and possibly prompting organizations to step up their compliance game and become more transparent.

On Nov. 15, the ransomware threat actor AlphV, also known as BlackCat, added and removed publicly traded financial institution MeridianLink from its leak site. But, in a twist for ransomware attackers, AlphV also reported its victim to the U.S. Securities Exchange Commission (SEC) via an anonymous tip form.

AlphV told the regulator that MeridianLink failed to report a cybersecurity incident within four days, as required under new SEC rules that don't technically go into effect until Dec. 15. AlphV said the incident occurred on Nov. 7, but Meridian Link indicated it happened on Nov. 10. Either way, under the upcoming new rules, publicly traded companies such as MeridianLink must report cybersecurity incidents to the Commission within four business days after they determine the incident is "material."

MeridianLink has yet to file an 8-K form with the SEC, as the new incident reporting rules require. According to the company's two public statements about the incident, the AlphV breach was "minimal," no ransomware or malware was deployed on its network, and only a limited amount of data was involved, suggesting that MeridianLink did not deem the incident "material." (MeridianLink pointed to its public statements and did not respond to questions from README).

This incident highlights how ransomware attackers are evolving their payment pressure tactics, from encrypting victims' assets to threatening to release stolen data and, now, potentially creating regulatory trouble. Or, as Chris Krebs, Chief Intelligence and Public Policy Officer, SentinelOne and President of PinnacleOne, told README, "There's a cat and mouse game going on here. Threat actors are innovating because they have to - victims are recovering faster after encryption and declining to pay. Extortion via threatening to dump data on the open web only goes so far."

Threatening to tell Mom and Dad

AlphV isn't the first threat actor to raise the specter of regulatory involvement when squeezing victims for payment. In August, researchers at Flashpoint revealed that the threat actor "Ransomed," operating under the alias "RansomForums," leveraged what was then the novel technique of using data protection laws, such as the EU's GDPR, to threaten victims with fines if they don't pay the ransom. "This tactic marks a departure from typical extortionist operations by twisting protective laws against victims to justify their illegal attacks," Flashpoint said.

Threats to involve regulatory authorities are "nothing new," Brett Callow, threat analyst at Emsisoft, told README. "The Maze group claimed to be in contact with the regulatory bodies way back in 2019 or 2020."

However, this latest move garnered a lot of attention from the cybersecurity industry, partly because it occurred in the U.S. and partly because it touched on the controversial new SEC requirements and the anxiety organizations feel ahead of their implementation. (The fear of making a regulatory misstep regarding the new rules was recently heightened by the SEC's recent lawsuit against SolarWinds and its CISO over alleged deficiencies in its cybersecurity practices.)

By drawing the SEC into its criminal action, AlphV has raised worries that "now you will be thrust in a negative light to a regulatory agency that potentially has purview over you," Chris Pierson, Founder and CEO of BlackCloak, told README. "It just throws that extra little wrench in. Now there's another thumb screw that's been turned. Not only does somebody have your data, not only is somebody threatening to release your data, but they have also actually set in place the time clock and taken control of that. [Threat actors] are going to basically [be] threatening to tell Mom and Dad."

Moreover, it's "game-changing in terms of the regulators and how they view these incidents being reported by a potential third party as opposed to by the victim themselves," Pierson said, with Callow saying that "executors aren't going to want to risk personal liability on the basis of trusting AlphV, and that would open them to a second round of extortion and could end up potentially costing them jail time.”

Not only does this kind of tactic instill fear of regulatory trouble, but it also gives publicity-hungry threat actors the exposure they crave. "It does generate a lot of attention, which is the other thing that the ransomware actors want to do," Allan Liska, threat intelligence analyst at Recorded Future, told README. "They want to get that attention on the victims in hopes of forcing the victims to pay." They also "get highly offended when you don't even bother to negotiate; when you don't even log into the portal that they've set up. They take that as a personal affront," Liska said.

The regulators' dilemma

Although this gambit by AlphV may be the first to attract attention, it likely won't be the last such effort, which could leave the government in an odd position of advancing the cause of malicious actors. README asked the SEC how it has dealt with AlphV's report and whether it has opened an investigation.

An SEC spokesperson responded that the agency "cannot comment on any specific matter or confirm the existence or non-existence of an investigation." But he did point to an SEC FAQ page that states, "the more specific, credible, and timely a whistleblower tip, the more likely it is that the tip will be forwarded to investigative staff for further follow-up or investigation. For instance, if the tip identifies individuals involved in the scheme, provides examples of particular fraudulent transactions, or points to non-public materials evidencing the fraud, the tip is more likely to be assigned to Enforcement staff for investigation." AlphV's submission doesn’t appear to contain any of these elements that would prompt an SEC investigation.

Krebs said he expects "BlackCat and others to continue to use this technique until it doesn't work anymore" and thinks that regulators must carefully consider how they will respond in these circumstances. "Targeting whistleblower portals is a logical expansion for these actors, and Inspectors General and others are going to need to think through their approach on how to deal with incoming from less than reputable sources," he said. "Perhaps regulators will only accept reports from authenticated users, from victims, which isn't an insurmountable obstacle for threat actors that already own the victim's active directory."

Given that most regulatory agencies, including the SEC, encourage anonymous whistle-blowing, agencies will likely face a dilemma if these threat actor reports mount. "You don't want to let a company get away with not reporting when there are reporting requirements," Liska said. "You also don't want to reward threat actors."

Is there a silver lining?

Although cybersecurity experts widely view AlphV's action as disturbing, some see a potential silver lining. For one thing, Callow said AlphV's report to the SEC probably backfired. "I think they have miscalculated. I don't believe this will make companies more likely to pay. I think it will make them more likely to file when they should file."

AlphV's misstep might also make companies better prepared if it or another ransomware group attempts to do the same thing again. Pierson said, "This means that companies are really going to have to have their incident response practices in place, well exercised, and everyone's going to have to know what they are, what their role is, and all the rest because time is going to be of the essence, and the timeline is not going to be left up to them."

Krebs said "it's certainly possible that a victim organization could think 'hey, if we don't report it, the bad guys will' and improve their response as a result," mirroring a broader shift among victims to be more transparent. "They've come to realize the downside of withholding information on an incident just isn't worth it due to the impact to reputation, loss of customer trust, and regulatory or oversight concerns, and are communicating earlier, more readily, and more substantively.".

"I'd suggest that more visible attackers, combined with more reporting requirements dropping into place, will lead to increased transparency by victims."