The BlackCat ransomware gang has begun abusing upcoming US Securities and Exchange Commission (SEC) cyber incident reporting rules to put pressure on organizations that refuse to negotiate ransom payments. The attackers filed an SEC complaint against one victim already, in a move that’s likely to become a common practice once the new regulations go into effect in mid-December.
On Wednesday, cybercriminals behind the BlackCat ransomware, also known as ALPHV, listed MeridianLink, a provider of digital lending solutions to financial institutions, on its data leak website that’s used to publicly name and shame companies the group allegedly compromised. Most ransomware gangs have adopted this double extortion tactic in recent years to force the hand of uncooperating victims by threatening to sell or release data the attackers managed to steal.
In fact, some cybercriminal groups don’t even bother deploying file encrypting malware sometimes and go straight to data leak blackmail. This seems to have been the case with BlackCat and MeridianLink, according to DataBreaches.net who reported speaking with the attackers. The breach reportedly happened on November 7 and only involved data exfiltration.
After an initial contact by someone representing the company, communications went silent, the attackers said. As a result, on November 15 the group listed the organization on their data leak blog but took it one step further: It filed a complaint with the SEC for failure to disclose what the group calls “a significant breach compromising customer data and operational information” using Form 8-K, under Item 1.05.
New SEC rules require reporting of material breaches
The new SEC cybersecurity reporting rules that will go in effect on December 15 require US-listed companies to disclose cybersecurity incidents that impact the company’s financial condition and its operations within four business days after determining such an incident occurred and had a material impact. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said back in July when the Commission adopted the new rules.
However, there can be a lot of uncertainty among companies and executives as to what is material or not. The new rules will further complicate the role that CISOs can have in such filings as recent SEC actions prove they could be held liable for misrepresenting a company’s cybersecurity posture and now the impact of a data breach.