Double blow - A ransomware group reports its victims to the US authorities
November 2023 by Mark Molyneux, EMEA CTO at Cohesity
On 15 November, the AlphV hacker group added MeridianLink to its own list of victims. The attack probably took place on 7 November. The group confirmed to news portal Databreaches that it had reported the company to the US Securities and Exchange Commission (SEC).
With this move, the AlphV ransomware group has broken new ground by clearly demonstrating the far-reaching consequences that companies can now expect in the event of a hack. Companies hit by cyber attacks could soon find their backs against the wall with a stark choice to make: pay the ransom to the cybercriminals, or face a hefty fine from the SEC.
"It’s basically a four-stage ransomware attack: encrypt the data, exfiltrate and publish it, harass the people involved and, finally, report it to the regulator," explains Mark Molyneux, EMEA CTO at Cohesity.
The 4-day deadline for reporting a cyber attack to the SEC includes compiling precise data on the cyber incident, which is no easy task in times of crisis, especially as the cyber criminals have all the data relating to the cyber attack, giving them a definite advantage when it comes to filing a dossier with the SEC.
"Companies already have a very short timeframe in which to investigate the cyber incident, assess the data that has been compromised and provide a precise report to the regulator. With threat actors now willing to report the breach themselves, with evidence of the data actually encrypted or exfiltrated, companies will be under increasing pressure to index, classify and secure data so that they can provide an accurate report themselves, but above all to know what has been lost and how to replace it quickly from their vault system," concludes Mark Molyneux.
In France, since 24 April 2023, the Ministry of the Interior’s Orientation and Programming Act (Lopmi) has also required companies that are victims of ransomware cyber attacks to file a complaint within 72 hours if they wish to receive assistance and reimbursement for a cyber ransom by their insurance. There will be no fine for failing to comply, but insurance cover will not be available. It should also be remembered that the SEC can impose fines on all companies listed on the US stock exchange, whether American or not.