In a new twist in the ongoing battle against ransomware attacks, the BlackCat ransomware gang has found a way to leverage upcoming US Securities and Exchange Commission (SEC) cyber incident reporting rules to put pressure on organizations that refuse to negotiate ransom payments. This unsettling development highlights the evolving tactics of cybercriminals and raises concerns about the effectiveness of new regulations in combating cybercrime.
The BlackCat Ransomware Gang’s Approach
The BlackCat ransomware gang, also known as ALPHV, recently made headlines by filing an SEC complaint against one of their victims. Their target was MeridianLink, a provider of digital lending solutions to financial institutions. Instead of deploying typical file-encrypting malware, BlackCat focused on data exfiltration. When communication between the gang and the victim stalled, BlackCat took an unusual step. They listed MeridianLink on their data leak website, a platform used to publicly shame organizations they claim to have compromised. To add more pressure, they filed a complaint with the SEC, accusing MeridianLink of failing to disclose a significant breach compromising customer data and operational information.
New SEC Reporting Rules
Starting on December 15, new SEC cybersecurity reporting rules will require US-listed companies to disclose cybersecurity incidents impacting their financial condition and operations within four business days of confirming such an incident. This includes breaches that have a material impact on the company. SEC Chair Gary Gensler emphasized the importance of such disclosures, comparing them to reporting other significant incidents like factory fires. However, determining what constitutes a “material” breach can be challenging, which may complicate the role of Chief Information Security Officers (CISOs) in these filings.
The Importance of Protecting Your Business
Enitech emphasizes the need for business owners to prioritize cybersecurity in these challenging times. Antwine said, “Attackers are becoming more sophisticated, and they are relentless in their efforts to exploit vulnerabilities. Regardless of the size of your organization or budget, we encourage you to start somewhere. Protecting your assets and sensitive data is not optional—it’s imperative for the survival of your business.”
Implications and Questions
The BlackCat gang’s use of SEC complaints to pressure victims presents a new challenge in the fight against ransomware. It raises questions about how the SEC will respond to this tactic and whether the agency will be more lenient in enforcing the new disclosure requirements initially. Additionally, the incident highlights the need for robust cybersecurity defenses and proactive strategies, as compliance alone may not be sufficient.
Expert Opinions
Ferhat Dikbiyik, head of research at cyber risk management firm Black Kite, points out that the BlackCat gang’s move has blindsided the industry and raises doubts about the effectiveness of the new SEC rules in combating cybercrime. He also questions whether the gang has affiliates within the US.
Jim Doggett, CISO of cybersecurity firm Semperis, suggests that the move by BlackCat could be seen as opportunistic, driven by greed to force quicker payments from victims. However, he also notes that it could potentially attract the attention of US law enforcement agencies.
The emergence of ransomware gangs exploiting SEC complaints to pressure victims is a concerning development in the ever-evolving landscape of cybercrime. While the new SEC rules represent a step towards transparency, they also highlight the need for organizations to maintain robust cybersecurity defenses and proactive strategies. As the fight against ransomware continues, vigilance and preparedness remain critical in safeguarding against these evolving threats.