It might be a new pressure tactic, or it might be old-fashioned trolling. Whatever the case, a ransomware gang has filed an SEC complaint directed at one of its victims. The complaint notes that the data breach took place over a week prior, and claims that new SEC rules require the victim to disclose a material impact within four business days.
The ALPHV/BlackCat ransomware group, the culprit behind at least 210 ransomware attacks in 2023 thus far, says that it breached financial software firm MeridianLink on November 7 and exfiltrated data without deploying ransomware. On November 15 the group posted a screenshot of the SEC complaint to its dark web portal, claiming that the situation calls for a Form 8-K filing to have been made.
SEC complaint by ransomware group leverages new 2023 rules, but is a month early
The SEC adopted the pertinent new rules toward the end of July of this year, but they do not go into effect until December (in roughly one month). Companies that experience a data breach that may be material to investors will soon be required to file a Form 8-K reporting the incident within four business days, unless the United States Attorney General determines that an immediate disclosure would be harmful to public safety or to national security.
This is the first time that a ransomware group has filed an SEC complaint against a victim. It is presumably a pressure tactic, as it was accompanied by a renewed threat to dump the stolen data to the public within 24 hours. However, as of this writing, there is not yet any sign of stolen data being dumped. This could indicate that the company has entered into negotiations, but deadlines coming and going without action is also not uncommon for ransomware groups. The group may have also decided to reassess its approach after realizing it misinterpreted the new SEC rules.
MeridianLink has confirmed the data breach, but has only said that it found no unauthorized access to production platforms and that business interruption was expected to be minimal. The company would not say for certain whether or not consumer personal information was involved. The SEC has yet to comment on the incident.
Even if the new rules had been in effect already, the SEC complaint might have still been pointless (depending mostly on what sort of data was stolen). At a recent cyber forum in Aspen, government officials confirmed that the new rules do not require reporting of a data breach within four days but rather within that time after the company has determined the breach will have a significant material impact on its bottom line.
Nature of the information stolen in MeridianLink data breach still unclear
The hackers used the automated “Tips, Complaints, and Referrals” page to submit the SEC complaint, so the verification that was posted of receipt of the complaint does not indicate that anything will be done with it. MeridianLink may have legitimate reporting requirements coming up soon, however, if the company determines there is a potential material impact to shareholders from the data breach.
As Dr. Ilia Kolochenko, Chief Architect at ImmuniWeb, notes: ” … Not all security incidents are data breaches, and not all data breaches are reportable data breaches. Therefore, regulatory agencies and authorities should carefully scrutinize such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence, otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyze their work. Victims of data breaches should urgently consider revising their digital forensics and incident response (DFIR) strategies by inviting corporate jurists and external law firms specialized in cybersecurity to participate in the creation, testing, management and continuous improvement of their DFIR plan. Many large organizations still have only technical people managing the entire process, eventually triggering such undesirable events as criminal prosecution of CISOs and a broad spectrum of legal ramifications for the entire organization. Transparent, well-thought-out and timely response to a data breach can save millions.”
It would help the situation greatly for MeridianLink to determine whether or not customer personal or financial information was taken in the data breach. The company’s primary product line is a set of loan origination tools for banks and other lenders, something that could obviously contain highly damaging information.
ALPHV/BlackCat has recently established a reputation for being particularly ruthless in its data breaches, leaking private photos of breast cancer patients as part of a March attack on a Pennsylvania health network. The group has also recently bucked usual Russian ransomware gang protocol by taking on the English-speaking “Scattered Spider,” the group responsible for breaching Caesars and MGM, as an affiliate. That’s why it is somewhat unusual to see the group not deploy ransomware as part of the attack, suggesting that perhaps it was booted out of the network before it could access a significant amount of sensitive data or lock up anything particularly damaging.
It will be interesting to see if other ransomware gangs pick up the tactic of filing SEC complaints once the new rules go into effect in mid-December. Cyber criminals have generally preferred to keep things quiet for as long as they feel the victim may come to the negotiating table. It would be unusual to see a situation where the victim firmly refuses a ransomware payment but also intends to keep the incident hidden from the public for an extended period.
Ariel Parnes, COO and Co-Founder at Mitiga, believes that this may signify a new era of psychological operations among high-level ransomware groups: “Psychological operations (PsyOps) in cybercrime are strategic tactics that manipulate a target’s perceptions, emotions, reasoning, and behavior to achieve specific goals. These operations have long been a tool for cybercriminals, used to instill fear, urgency, and confusion, often to expedite ransom demands or disrupt operations. The recent U.S. Securities and Exchange Commission (SEC) rule, requiring publicly traded companies to disclose material cyberattacks within four days, has given attackers even more incentive to use PsyOps. This rule adds a layer of urgency and public scrutiny, making it a potent tool for attackers. The recent activity of ALPHV/BlackCat ransomware group against MeridianLink is only the first example of what is expected to be a trend in the coming months. By filing an SEC complaint against MeridianLink for not complying with the disclosure rule, ALPHV has sophisticatedly integrated legal and regulatory frameworks into their psychological warfare strategy. This approach intensifies the pressure on the victim, showcasing a worrying trend where cybercriminals use legal and regulatory mandates to amplify their attacks. In response to these evolving threats, organizations must prioritize incident response readiness. This involves developing the capability to quickly investigate and fully understand the nature of an attack. Additionally, constant exercising through comprehensive tabletop exercises is crucial. These practices ensure that organizations are not only prepared to respond effectively to cyberattacks but also equipped to counteract the misinformation and psychological pressure tactics increasingly employed by modern cybercriminals.”
Jake Williams, former US National Security Agency (NSA) hacker and Faculty member at IANS Research, is also of the opinion that this is the beginning of an ongoing trend: “By reporting their own intrusion to the SEC, BlackCat took the next logical step in incentivizing extortion payments by directly notifying a regulator of a victim who had failed to notify themselves. We should expect that other cyber criminal groups will take similar measures with the SEC. Cyber criminals will also likely threaten privately held organizations with extortion by reporting data theft to other regulatory bodies as applicable. BlackCat has opened Pandora’s box – it’s clear we’ve entered the age of criminals weaponizing regulators against compromised organizations. Whether these reports are simply used to enforce standards or used to further victimize these organizations will be entirely up to regulators. The cyber criminals are watching, regulators need to tread very carefully.”