What happens when a ransomware group files an SEC complaint against its victim, referencing the very data breach it caused? In terms of meaningful consequences, we likely won’t know for at least a month or so. But the ALPHV/BlackCat ransomware-as-a-service group is an early adopter of the tactic, attempting to use it to pressure lending software outfit MeridianLink after an early November data breach.
The hackers appear to have gotten a bit ahead of themselves, as the rules they cite do not actually go into effect until the middle of December. There would be nothing stopping other attackers from copying the technique at that time, however. Attackers can file an SEC complaint online via the agency’s website without leaving a trail back to themselves, but it remains to be seen how seriously these efforts will be taken.
Hackers are finding unique ways to apply pressure after data breaches
The ransomware group had a sound enough idea with their SEC complaint, it simply did not read the fine print of the rules that were adopted several months ago and did not notice that MeridianLink is not subject to the disclosure terms they cite for a few more weeks.
It is still not known exactly what was stolen in the data breach, but it does not appear that the group actually deployed ransomware. It claims to have extorted data and provided MeridianLink with a 24 hour deadline along with the SEC complaint, but that has now come and gone with no known data being dumped. This could mean that MeridianLink has entered negotiations, or it could mean that the hackers didn’t steal anything of consequence and the whole thing is a bluff. The whole thing is at least a bit out of character for ALPHV, which prides itself on ruthlessness.
Filing an SEC complaint of this sort is not effective now, but it might be in about a month. At that time, publicly traded companies will be required to report a data breach within four days of determining that it is likely to have a material impact. The use cases for hackers seem somewhat limited, however, with this ploy only really useful as a last ditch threat if the victim is refusing to negotiate or communicate.
Will SEC complaints by threat actors become a trend?
As the SEC complaint notes, companies will soon have to file a Form 8-K publicly documenting the data breach within four days if it is reasonably believed to be a risk to company revenue. There are some limited exceptions, however, chiefly a determination by the United States Attorney General that national security or public safety would be threatened by the disclosure.
MeridianLink has yet to say if this data breach would rise to the standard of material impact. It has essentially told customers to “stand by” as it investigates to determine if personal or financial information was captured. All it has offered so far is a confirmation of the breach and a reassurance that production platforms were not accessed during the attack.
As to whether or not this becomes a trend, it will likely require a major ransomware group appearing to successfully draw a payment out of a reticent victim with the threat. The threat automatically accelerates the negotiation to the final stages, however, making the incident public and leaving only the “data extortion” threat of a public release of sensitive stolen information.