They’re really quite blatant about it, too.
A ransomware gang claimed this past week that it broke into the systems of the fintech platform MeridianLink. The breach has been reported to regulators.
The company didn’t report it, as new rules will require them to do. The hackers did.
AlphV (or Black Cat, depending on who’s speaking for the gang) aren’t the only criminal hackers to do this sort of thing. Other hackers are joining in on telling the cops of their deeds, as a means of pressuring the victims to pay up. Or their security failures will be made public.
Aside from only cowards meekly surrender and functionally if not legally aiding and abetting the criminals by paying, and the situation is straightforwardly enough greatly mitigated by those companies getting serious about their IT security, a separate question exists.
These criminals have all confessed their crimes. Where are the regulators? Where is DoJ? Certainly, it’s hard to identify the members of these criminal organizations, but hard means possible. In the meantime, these crime syndicates can themselves be traced back and their accesses to the Internet hindered severely, if not outright blocked. And their identities publicly disclosed.