by Jennifer Lyn Walker

In the evolution of tactics, it wasn’t entirely surprising a few years ago when ransomware extortion groups attempted pressuring victims to pay by “notifying” their partners or customers. It’s rare that I’m surprised by such antics, but this recent tactic made me laugh out loud, literally. According to DataBreaches.net, the ALPHV/BlackCat ransomware group has filed a complaint with the SEC regarding the failure of one of its alleged victims for non-compliance – albeit prior to the rule going into effect in mid-December.

AlphV wrote: “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.

It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

Certainly, there is more to unpack here. But at first blush, this is not a bad strategy on the part of the group to bring undesired attention through a seeming “vigilante” report or just a natural evolution of blackmail tactics. Either way, if this becomes a trend and not just a one-off escapade, organizations finding themselves listed on the business end of a data leak site (actual or alleged) may be forced to report to their authorities out of an abundance of caution before outed by the adversary or otherwise feel compelled to consider paying the demand (not advised).