Ransomware Gang Files SEC Complaint

A ransomware gang, annoyed at not being paid, filed an SEC complaint against its victim for not disclosing its security breach within the required four days.

This is over the top, but is just another example of the extreme pressure ransomware gangs put on companies after seizing their data. Gangs are now going through the data, looking for particularly important or embarrassing pieces of data to threaten executives with exposing. I have heard stories of executives’ families being threatened, of consensual porn being identified (people regularly mix work and personal email) and exposed, and of victims’ customers and partners being directly contacted. Ransoms are in the millions, and gangs do their best to ensure that the pressure to pay is intense.

Tags: , , , ,

Posted on November 17, 2023 at 11:31 AM8 Comments

Comments

Morley November 17, 2023 12:06 PM

Is there earnest enforcement against ransomware perpetrators? Headlines feel like it’s a relatively safe crime.

iAPX November 17, 2023 12:30 PM

The fact is that companies are not severely sanctioned, financially at least, when there’s a leak of users, clients or partners data.
I remember when a British specialized healthcare unit, that cured VIH and AIDS affected people, have been all it’s patient informations, including PII and associated medical records: they just paid 100 pounds to each patient.

That’s not acceptable from my point-of-view, and the companies don’t care if PII or informations about peopl leak on the Internet.

So you could not blackmail them anymore, they won’t pay because there is no consequence for these datas to become public, and not because it’s not ethical to pay ransom.

In fine, ransomware perpetrators found another way to sanction the public companies: through the SEC!
Genius! Brilliant!

Clive Robinson November 17, 2023 5:34 PM

@ Bruce, ALL,

Re : The price of not being smart.

“I have heard stories of executives’ families being threatened, of consensual porn being identified (people regularly mix work and personal email)”

More fool them, they are obviously not very bright or assume they are “above it all” which they are not.

As some here know I stopped doing “personal Email” several years ago, and likewise have never done “Social Media”. As for “work resources” in the UK using them for “personal” can get you sacked for gross misconduct and even charged with theft.

For instance reported by the UK, Daily Mail,

“Mr Da Silva was sacked in June 2020 for accessing and forwarding inappropriate images and ‘failing to devote his whole time and attention to his duties’ by doing this during work hours.”

“He was told a company-wide IT security check had been undertaken and was shown two explicit images which had been sent to his work email address by his wife in 2017 and then forwarded on to his personal email address in 2019 during work time.”

But also “the boss” tried to first use it to try and black mail him, sending several messages of which just two were,

“‘You tried to steal my shares and you can f*** off. I have every email you sent. You are f****d!

‘You are not my boss, you and your wife are going to be lit up in lights. She will be famous!'”

So yeh, just assume not just every character you type and image you see or send will get to be seen by the boss but also a judge and the public as well…

Oudamos November 17, 2023 7:18 PM

they are obviously not very bright or assume they are “above it all” which they are not.

When people such as tenured law professors at research universities, successful bureaucratic climbers and second-placing presidential candidates, fraudsters who steal billions of dollars, and five-star generals keep sending indiscreet things in email or text apps, I don’t think the problem is a lack of “smarts.” Any more than if workers keep getting mangled by a machine, the problem is the workers.

vas pup November 17, 2023 7:23 PM

I see this as just one more example of moving legal system towards more protecting criminals/offenders rather than protecting victims – physical or legal persons. Bad tendency.

JonKnowsNothing November 17, 2023 9:29 PM

@vas pup, All

re: legal system towards more protecting criminals/offenders rather than protecting victims

(USA)
Our laws are divided into 2 sections:

  • Criminal (bashing someone over the head with a hard object)
  • Civil (bashing someone over the head with a paper contract clause)

In both, the primary object is the protection of “property” physical and real estate.

  • Criminal protection remedies are basically pieces of paper you can wave in the wind, like a prayer flag, hoping that the content printed on it will somehow deter physical attacks.
  • Civil protection remedies are basically pieces of paper that, in theory, allow some monetary compensation; trying to collect it is a lifetime endeavor.

Not much in those laws protect the victim(s) of criminal or civil attacks. There’s a lot of paper waving going on and not much victim protection.

===

ht tps://en.wikipedia .o rg/wiki/Missing_women

  • The term “missing women” indicates a shortfall in the number of women relative to the expected number of women in a region or country.

  • (globally) most recent estimates around 90–101 million women

http s://en.wikipedi a.org/wiki/Missing_and_Murdered_Indigenous_Women

  • Missing and Murdered Indigenous Women (MMIW)[a] is an epidemic of violence against Indigenous women in Canada and the United States,[1] notably those in the FNIM (First Nations, Inuit, Métis) and Native American communities

ht tps://en.wikipedi a. org/wiki/Femicide

  • Femicide or feminicide is a hate crime which is broadly defined as “the intentional killing of women or girls because they are female”, with definitions varying based on cultural context. … A spouse or partner is responsible in almost 40% of homicides involving a female victim.
  • Every year, an average of 66,000 women are violently killed globally

Jeff Bell November 17, 2023 11:17 PM

I but that there’s room for a ransomware extortion scheme.

“Pay us or we claim to have breached your system.”

Winter November 18, 2023 5:23 AM

@Clive

As for “work resources” in the UK using them for “personal” can get you sacked for gross misconduct and even charged with theft.

The Anglo-Saxon world never could really leave slavery and serfdom behind. They still consider employees as serfs during, and after, office hours. Serfs who are not allowed to have a private existence.

Until the Me-To movement took off [1], female employees were treated even more like slaves who were not allowed a say over their own body (eg, by getting pregnant).

[1] Me-To was literally, I was treated like a sex slave too, by thousands of women.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.