SentinelLabs investigates a new tactic by cybercriminals that exploits a new legal reporting requirement after a cyberattack. Cybercriminals continue to develop creative ways to extort companies. For instance, cybercriminals threatened - after breaking in - to report to the U.S. Securities and Exchange Commission (SEC) if MeridianLink, a financial services company, did not pay within 24 hours.
On 7 November, the ALPHV gang BlackCat broke into MeridianLink without ransomware. The company subsequently said it was aware of the breach on 10 November. On 15 November, ALPHV added MeridianLink to its TOR-based data breach website, along with excerpts and screenshots of the complaint they filed with the SEC, alleging that the company had failed to report the breach within four days.
Extortion by skilful use of the law
In mid-2023, the SEC approved updated requirements regarding cyber incident reporting. Under these new requirements, all companies - if they do not want to risk heavy financial penalties - must report cybersecurity incidents, with all relevant details, within four days. The new requirements are valid from 18 December 2023 for large organisations and from June 2024 for all other organisations. However, cybercriminals such as the BlackCat gang have already employed tactics to abuse the new rules to threaten victims even before they have come into force.
Although - in the case of MeridianLink - the new rules were not yet in force, it is clear that cybercriminals may use this as a tactic to pressure victims in the future. The aim seems to be to prevent organisations from stalling for time to mitigate the damage, negotiate the amount of payment or otherwise avoid notifying their partners, customers and other affected parties.
Conclusion
Legal frameworks such as the SEC's new rules, GDPR regulations and existing laws are being misused to put more pressure on vulnerable organisations. With these new tactics, cybercriminals try to force victims to comply with ransom demands by instilling fear of both legal liability and reputational damage.
The rise of these tactics highlights the need for organisations to strengthen their cybersecurity, ensure compliance with legal requirements and be prepared for new threats. Cybercriminals continue to develop creative ways to extort businesses. Organisations must remain vigilant and adapt to defend against these ever-changing threats.