The ALPHV/BlackCat ransomware gang has found a way to put yet another twist on the double extortion gambit by submitting a U.S. Securities and Exchange Commission (SEC) complaint against a victim organization alleging the company did not comply with a recently enacted four-day rule for some companies to report security events.
The SEC had announced in July they will require publicly traded companies to disclose cyberattack events within four business days if they are deemed “material” to current and prospective shareholders "in making an investment decision."
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," SEC Chair Gary Gensler said, as reported by Bleeping Computer.
While the rules are not set to take effect until December 15, 2023, the ALPHV/BlackCat ransomware gang has already attempted to leverage the rule in an effort to put more pressure on alleged victim MeridianLink, who was targeted in early November with data exfiltration and a ransom demand, though no ransomware payload was delivered.
Takeaway: Whether it’s threats to expose clinical photographs of breast cancer patients or to leak very intimate details of abuse and mental health status of vulnerable students, data extortion and ransomware groups have shown time and time again that there is no line they will not cross to enrich themselves.
Double extortion is a very common tactic used by ransomware gangs to compel victims to pay a ransom demand. Early variations included data exfiltration with the threat to expose or sell the information, threats to notify the victim’s customers data has been breached, denial of service (DoS) attack threats, threats to inform cyber insurers of infection vector details in order to nullify coverage, and more.
While this new tactic is not surprising given ransomware and data extortion threat actors have zero conscience and are only motivated by profit, it does highlight yet another issue with the SECs ill-advised plan.
What does the government do when they can’t protect organizations against increasingly disruptive ransomware campaigns that are for the most part just state-sponsored cyber-terrorism attacks?
They re-victimize the victims of these attacks so they can pat themselves on the back and say they are doing something to address the problem. In reality, they are just making the problem worse for the victims.
More visibility and accountability in regard to security-related events at publicly traded companies is a good thing n its face, but we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.
The real challenge for organizations with this new SEC ruleset is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” to investors.
This leaves quite a bit of room for subjectivity, plausible deniability, and – if not structured correctly – could produce a culture where there is pressure on security teams to conceal security events from the executive suite, so the event goes unreported.
The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information about an incident – and this is the real rub here. There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.”
Forensic investigations are difficult, and they take time. The disclosure rule set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.
But investors, once informed of an attack, will want the details, and want them now. This could create situations where company leadership appears incompetent because they can’t answer tough questions about an event, undermining investor confidence.
The company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts.
The inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that - while reportable per SEC rules – may in fact not be that serious of an event from a security standpoint.
And there are more issues that can arise. There is also the potential impact that the SEC rules will have on security culture within an organization. As it stands, the SEC rules will likely create top-down pressure on security teams to be less forthcoming with the C-level and BoD when faced with a security event.
As written, reporting is “due four business days after a registrant determines that a cybersecurity incident is material.” This determination likely rests at the very highest levels of an organization, with the company's officers.
It’s not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely have to, and this has the potential to negatively impact security operations.
Worse yet, we now see how these new SEC rules can be abused by attackers to compel victim organizations to pay ransom demands, which is completely counter to what other agencies in the US government are strongly advocation – to never pay a ransom demand.
And last but not least, victim organizations should keep in mind that even good-faith negotiations with ransomware attackers could face intense scrutiny by their insurer, by law enforcement, and by regulators, and any payment to ransomware operators who may be under international sanctions restrictions could land an organization and its leadership in very serious trouble.
All of these factors add up to one thing: organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also have to face the threat of being re-victimized by an overzealous regulatory landscape.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.