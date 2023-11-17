Image: - © AFP/File JEFF KOWALSKY

The ALPHV/BlackCat ransomware group has reported MeridianLink to the SEC for allegedly failing to disclose a material hack. “We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” the complaint reads.

This continues: “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

The complaint was issued after the hacker group allegedly received no response from MeridianLink, TechTarget reports.

Does this represent the first case of a hacker group issuing a formal complaint about their victim?

Jake Williams, former U.S. National Security Agency (NSA) hacker and Faculty member at IANS Research explains to Digital Journal that the interests of the hacker group are not altruistic; financial incentives continue to predominate.

Williams explains: “Cyber criminals will leverage any tool they have to monetize their activities. While selling stolen data was traditionally a primary method of monetizing cybercrime, ransomware has overtaken data theft in recent years.”

One of the reasons behind the change in tactics is due to the technological fight back against hackers. This leads Williams to state: “As more organizations establish better response plans for recovering from a ransomware attack, these operators have had to change their tactics to incentivize victims to pay.”

Consequently, finds Williams: “Threatening public release of data (so-called double extortion) has been moderately effective in compelling payment from victims, but many organizations that pay do so hoping to keep their incident out of the public eye.”

With the specific case, Williams charts the sequence of events: “By reporting their own intrusion to the SEC, BlackCat took the next logical step in incentivizing extortion payments by directly notifying a regulator of a victim who had failed to notify themselves. We should expect that other cybercriminal groups will take similar measures with the SEC.”

As to what might happen in the future, Williams speculates: “Cyber criminals will also likely threaten privately held organizations with extortion by reporting data theft to other regulatory bodies as applicable.”

As such, Williams muses: “BlackCat has opened Pandora’s box – it’s clear we’ve entered the age of criminals weaponizing regulators against compromised organizations. Whether these reports are simply used to enforce standards or used to further victimize these organizations will be entirely up to regulators. The cyber criminals are watching, regulators need to tread very carefully.”