SEC Complaint Against Company Filed by Ransomware Gang

The new Security and Exchange Commission’s (SEC’s) reporting rules require U.S.-listed companies to disclose cybersecurity incidents that impact the company’s financial condition and its operations within four business days after determining an incident has occurred and had a material impact, according to an article on CSOonline.com.

These rules are providing cyber attackers with a new tactic to coerce payments. The BlackCat ransomware gang (also known as ALPHV) has begun abusing them to put pressure on organizations that refuse to negotiate ransom payments. They have already filed an SEC complaint against one victim, MeridianLink. The fear is that this will become a common practice after the new regulations take effect on December 15.

Most ransomware gangs have adopted a double extortion tactic in recent years to force uncooperative victims to pay by threatening to sell or release data the attackers managed to steal. In this case, Black Cat didn’t even bother deploying file-encrypting malware but went straight to data leak blackmail.

On November 15, Black Cat listed the organization on their data leak blog and filed a complaint with the SEC for failure to disclose what the group calls “a significant breach compromising customer data and operational information” using Form 8-K, under Item 1.05.

“While shocking to many, the reports that Black Cat tattled on one of their victims to the SEC isn’t surprising in the ever-evolving ransomware economy,” said Jim Doggett, CISO of cybersecurity firm Semperis. “Some will argue that Black Cat’s move is opportunistic at best, and they are motivated only by greed to force quicker payments by victims. Others will say that this aggressive move could leave the group in the crosshairs of U.S. law enforcement agencies. At the end of the day, the ransomware gangs are criminal organizations, and their only motive is profits.”