Cyber Extortion By SEC Complaint Against The Victim

John O’Connell, CEO and Founder, The Oasis Group
John O’Connell, CEO and Founder, The Oasis Group

A New Frontier In Ransomware Tactics: BlackCat/ALPHV Exploits SEC Disclosure Rules

The digital era has brought with it an increase in cyber threats that target businesses of all sizes. As a response to this growing problem, the SEC introduced new regulations that compel companies to publicly disclose their breaches within specific deadlines. However, the recent complaint filed by the ransomware group ALPHV (aka “BlackCat”) highlights the challenges that businesses face in complying with these regulations. This article explores the implications of ALPHV’s complaint and how it could impact businesses.

Ransomware Groups Grow In Sophistication

In traditional ransomware attacks, a bad actor infiltrates a target company’s computer systems, copies sensitive information, and encrypts that information on the target company’s computer systems. This encryption renders the information unreadable by the target company without an encryption key. Ransomware attacks emerged in the mid-to-late 2000s and started with bad actors extorting a ransom from the target company for the encryption keys to unlock the data. This type of attack became prevalent between 2013 and 2016.

The landscape of ransomware attacks continued to evolve, with bad actors adopting increasingly sophisticated approaches. A notable shift is the implementation of a sliding scale for ransom payments, whereby the ransom amount escalates the longer a business takes to pay.

New blackmail tactics were seen with the rise of leak sites in early 2019. This tactic includes a traditional ransomware attack with the threat of blackmail by leaking the target company’s sensitive information on public websites. This includes compensation tables, executive personal records and addresses, and other sensitive company information, which can be very damaging to the company and its senior executives.

In an innovative twist, some threat actors began to bypass the often costly process of encrypting data altogether. Instead, they copy the target company’s sensitive information and threaten to leak it online or sell the information on the dark web. The MOVEit cybersecurity incident from earlier this year was an example of an incident where the bad actor did not encrypt the target company’s data and simply threatened to publish and sell the sensitive information.

The bad actor from the MOVEit incident published hundreds of gigabytes of sensitive data publicly. This extortion tactic can be particularly effective depending on the nature of the business and its data.

Tactics continue to evolve. Let’s introduce the latest tactic.

SEC Regulations On Cybersecurity Disclosures

The SEC promulgated new regulations to provide a consistent method for target companies to disclose cybersecurity issues. SEC Chair Gary Gensler remarked, “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

The SEC’s regulations aim to enhance transparency and promote timely reporting of cyber incidents that may impact the financial market. Businesses must identify breaches that pose material risks to their operations and notify their clients, shareholders and regulators within specific timeframes.

However, the complexity of modern cyber threats and the sophistication of cybercriminals make compliance challenging for businesses. They often find it difficult to determine whether a breach is material, how long it will take to investigate it fully, and the precise impact of the breach.

The new disclosure rules became effective on Sept. 5, and the incident reporting requirements were implemented on Dec. 15 for larger publicly traded companies. Smaller firms have a 180-day grace period after Dec. 18 to commence incident reporting. These rules set the stage for a new extortion tactic – threatening to file a formal complaint with the SEC if the target company does not pay the ransom.

A New Extortion Tactic

An attack in November highlights the concerns for SEC-regulated firms. ALPHV, a prolific ransomware group, successfully attacked MeridianLink, a digital lending service provider, and exfiltrated its files without encrypting them. The ransomware group had a single interaction with MeridianLink, and after that failed to engage the company in negotiations over the stolen data.

The group tried an unprecedented extortion tactic by filing a report about its own crime to the SEC.

The group then posted the data on its leak site and tried an unprecedented extortion tactic by filing a report about its own crime to the SEC. ALPHV accused its victim of failing to comply with new SEC regulations that require companies to publicly disclose their breaches within certain deadlines.

The ransomware group ALPHV’s formal complaint to the SEC highlights the challenges that businesses face in complying with new regulations on disclosing cyber incidents. This raises questions about how businesses can effectively comply with these regulations while dealing with cyber threats.

Some businesses may feel pressured to meet the deadlines without thoroughly investigating the incident, which could result in incomplete or inaccurate reports. In addition, ransomware groups like ALPHV can exploit the regulatory deadlines by leaking stolen data before the company has fully investigated the incident and disclosed it to the SEC. This puts the company at a disadvantage and may cause reputational damage.

Importance Of Adopting Robust Cybersecurity Practices

ALPHV’s weaponization of the SEC disclosure rules has far-reaching implications beyond public companies to wealth management firms. Failure to comply with and understand SEC regulations can result in reputational damage, legal liabilities and the leakage of sensitive information on public websites.

Bad actors can file a formal complaint on any wealth management firm regulated by the SEC or FINRA related to a cybersecurity incident.

Bad actors can file a formal complaint on any wealth management firm regulated by the SEC or FINRA related to a cybersecurity incident. Therefore, the jeopardy is not limited to publicly traded companies.

The MeridianLink incident underscores the importance of adopting robust cybersecurity practices and working closely with cybersecurity experts to develop effective incident response plans. A strong incident response plan can enable your business to quickly determine the extent of a cybersecurity incident and your disclosure requirements. Your firm should consider developing an incident response plan or working with cybersecurity experts to develop one. It could be one of your best investments in 2024.

John O’Connell is the CEO and Founder of The Oasis Group.

Related Posts

Sign Up for Our Newsletters

Sign Up for Our Newsletters