In a new extortion twist, Securities and Exchange Commission (SEC) rules adopted last July may have allowed a notorious ransomware group to simultaneously play cop and robber.
The SEC rules require registrants to disclose material cybersecurity incidents they experience within four days and to report on an annual basis material information regarding their cybersecurity risk management, strategy and governance. The orders are effective on or about December 18, 2023.
At the time, SEC chair Gary Gensler said, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
BlackCat Claws Back at SEC Rules
As with some things ransomware-related, the SEC’s reporting regulations may have turned and nipped registrants. According to a blog post on databreaches.net, earlier this month, in an audacious move worthy of only the most brazen criminals, the ransomware group AlphV (aka "BlackCat") filed a formal complaint with the SEC, claiming that one of its recent victims failed to comply with new disclosure regulations.
On November 7, 2023, the cyber crew had successfully infiltrated MeridianLink, a digital lending service provider, exfiltrating without encrypting its data. Someone from MeridianLink had subsequently reached out to AlphV, but apparently no negotiations took place between the two.
In what appears to be a first, AlphV appears to have reported MeridianLink, which the attackers said was aware of the break-in the day it happened, to the SEC for failing to adhere to the new regulation, according to the databreaches.net post.
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” AlphV wrote.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
In an email to databreaches.net, MeridianLink said:
“Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.
"We have no further details to offer currently, as our investigation is ongoing.”
Consequences of Failing to Report to SEC
Failing to timely report material events to the SEC carries significant penalties not the least of which are stiff fines. It's hard to imagine ransomware groups operating as whistleblowers but still, whistleblowing has become more prevalent.
According to the SEC, it received more than 18,000 whistleblower tips in fiscal year 2023, a record number and approximately 50 percent more than the then-record 12,300 whistleblower tips received in fiscal year 2022. The SEC received more than 40,000 tips, complaints, and referrals in total, a 13 percent increase over fiscal year 2022.
Of course, it will not be surprising to see other ransomware hijackers surface to make similar complaints to the SEC under much the same circumstances.