The BlackCat ransomware gang has begun abusing upcoming US Securities and Exchange Commission (SEC) cyber incident reporting rules to put pressure on organizations that refuse to negotiate ransom payments. The attackers filed an SEC complaint against one victim already, in a move that’s likely to become a common practice once the new regulations go into effect in mid-December.
On Wednesday, cybercriminals behind the BlackCat ransomware, also known as ALPHV, listed MeridianLink, a provider of digital lending solutions to financial institutions, on its data leak website that’s used to publicly name and shame companies the group allegedly compromised. Most ransomware gangs have adopted this double extortion tactic in recent years to force the hand of uncooperating victims by threatening to sell or release data the attackers managed to steal.
In fact, some cybercriminal groups don’t even bother deploying file encrypting malware sometimes and go straight to data leak blackmail. This seems to have been the case with BlackCat and MeridianLink, according to DataBreaches.net who reported speaking with the attackers. The breach reportedly happened on November 7 and only involved data exfiltration.
After an initial contact by someone representing the company, communications went silent, the attackers said. As a result, on November 15 the group listed the organization on their data leak blog but took it one step further: It filed a complaint with the SEC for failure to disclose what the group calls “a significant breach compromising customer data and operational information” using Form 8-K, under Item 1.05.
New SEC rules require reporting of material breaches
The new SEC cybersecurity reporting rules that will go in effect on December 15 require US-listed companies to disclose cybersecurity incidents that impact the company’s financial condition and its operations within four business days after determining such an incident occurred and had a material impact. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said back in July when the Commission adopted the new rules.
However, there can be a lot of uncertainty among companies and executives as to what is material or not. The new rules will further complicate the role that CISOs can have in such filings as recent SEC actions prove they could be held liable for misrepresenting a company’s cybersecurity posture and now the impact of a data breach.
Last month, the SEC filed charges against SolarWinds and its CISO, Timothy G. Brown, for misleading investors by not disclosing “known risks” and not accurately representing the company’s cybersecurity measures during and before the 2020 cyberattack that affected thousands of customers in government agencies and companies globally.
It will be interesting to see how the SEC reacts to the possibility of ransomware gangs taking advantage of its rules and complaint facility to blackmail victims and whether the agency will be more lenient with how it enforces the new disclosure requirements in the beginning.
“This puts added pressure on publicly traded MeridianLink after claiming to have breached its network and stolen unencrypted data,” Ferhat Dikbiyik, head of research at cyber risk management firm Black Kite tells CSO via email. “This move has blindsided the industry and raised questions about the effectiveness of the new SEC rules in the fight against cybercrime. It also begs the question: Does ALPHV have affiliates within the US?”
New cyber extortion tactic a wake-up call
“Although the SEC rules are a step toward transparency, MeridianLink and MGM incidents reveal an uncomfortable truth: Compliance alone is not sufficient,” Dikbiyik said. “Cybersecurity is dynamic and requires robust, always-on defenses and proactive strategies. This is an industry-wide wake-up call.”
“While shocking to many, the reports that BlackCat tattled on one of their victims to the SEC isn’t surprising in the ever-evolving ransomware economy,” Jim Doggett, CISO of cybersecurity firm Semperis, tells CSO. “Some will argue that BlackCat’s move is opportunistic at best, and they are motivated only by greed to force quicker payments by victims. Others will say that this aggressive move could leave the group in the crosshairs of US law enforcement agencies. At the end of the day, the ransomware gangs are criminal organizations, and their only motive is profits.”