Ransomware Group Files Complaint with SEC Because Victim Did Not Report Breach Quickly
In an unusual twist on breach disclosures, the ALPHV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) alleging that an organization they breached failed to disclose the incident to the SEC within the timeline required by rules established in July. The MeridianLink financial company has now confirmand that it is recovering from a cybersecurity incident.
In this case, the compromised company (MeridianLink) is not in violation since the new rules for 3 day disclosure haven’t become effective yet and the incident probably wouldn’t reach the material threshold anyway. But: As the old saying goes “There is no honor among thieves.” Hiding a breach from your customers and the SEC is really just another form of thievery.
Anyone feel like someone just called your mom because you wouldn't budge? Add reporting to your regulator to the list of extortion techniques ransomware gangs are willing to use to extort payment. In MediaLink's defense, the new SEC four-day reporting requirement doesn't go into effect until next month. Make sure your incident response plans contain current reporting requirements, which are kept updated, then make sure you're prepared to meet or exceed those requirements, including knowing required the format and reporting mechanism.
I have a feeling once the SEC rules officially go into effect we will see more ransomware tactics like this where the ransom states, “Pay now or we inform the SEC.” We saw something similar with the MGM breach; the reason we know so many details of how the breach happened is because the cybercriminal group (Scattered Spider) posted details (it all started with a social engineering phone call to the Help Desk). Finally, keep in mind that while ransomware is in the news, so many other attacks never hit the news simply because it they do not have to. When was the last time you read about a successful BEC/CEO fraud attack? Almost never, as you don’t have to go public when you lose money, and yet the FBI records billions in losses due to BEC. Don’t structure your approach to cybersecurity based on just what you read in the news.
Another change in tactics by a ransomware gang to apply pressure on victims. Even though the rule is not yet in effect, the result is the same; it’s now known that MeridianLink is a victim of a ransomware attack. MeridianLink should have come clean with its customers from the get go.