Ransomware gang grasses up uncooperative victim to US regulator

In a development that observers are already calling predictable, the ALPHV/BlackCat ransomware cartel appears to have added a new tactic to its playbook of methods used to exert pressure on victims to cooperate, reporting them to regulatory authorities.

The case in question centres on MeridianLink, a California-based supplier that specialises in cloud software for smaller financial services organisations, and serves banks, credit unions and mortgage lenders across the US.

According to DataBreaches.net, which was first to confirm the facts of the matter, BlackCat attacked MeridianLink on 7 November and stole data, although it did not encrypt any material.

In conversations with the website’s operators, a BlackCat representative alleged there had been no negotiations, and that subsequently it had filed a complaint against the victim with the United States Securities and Exchange Commission (SEC).

The gang member provided screenshots of the submission, which alleges that MeridianLink had made a material misstatement or omission in its public filings or financial statements, or a failure to file, because it had not informed the SEC within four days of determining the breach to be material.

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity [sic] incident disclosure rules,” the gang’s complaint, shared by DataBreaches.net, reads.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

This is a new requirement which is in the process of coming into effect, although compliance with the requirement in fact does not begin until mid-December, so it is unclear if the SEC would action any investigation at this point.

Designed to foster transparency and accountability over cyber attacks, the rule has divided the security community because while many support the idea in principle, the concept of what constitutes a “material” breach is rather vague. Others believe it may hand an advantage to attackers.

Ilia Kolochenko, chief architect at ImmuniWeb and adjunct professor of cyber security and cyber law at Capitol Technology University in Maryland, commented: “Misuse of the new SEC rules to make additional pressure on publicly traded companies was foreseeable. Moreover, ransomware actors will likely start filing complaints with other US and EU regulatory agencies when the victims fail to disclose a breach within the timeframe provided by law.

In emailed comments, Kolochenko told Computer Weekly: “Having said that, not all security incidents are data breaches, and not all data breaches are reportable data breaches. Therefore, regulatory agencies and authorities should carefully scrutinise such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence, otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyse their work.

He added: “Victims of data breaches should urgently consider revising their digital forensics and incident response (DFIR) strategies by inviting corporate jurists and external law firms specialised in cyber security to participate in the creation, testing, management and continuous improvement of their DFIR plan.

“Many large organisations still have only technical people managing the entire process, eventually triggering such undesirable events as criminal prosecution of CISOs and a broad spectrum of legal ramifications for the entire organisation. Transparent, well-thought-out and timely response to a data breach can save millions.”

MeridianLink spoke only to confirm that it had fallen victim to a cyber security incident. It said: “Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident.

“Based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption.

“If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law. We have no further details to offer currently, as our investigation is ongoing.”