Man Bites Dog: In an unusual twist in cybercrime, the ransomware group BlackCat/ALPHV is manipulating the SEC's new 4-day rule on cyber incident reporting to increase pressure on their victims. This latest maneuver highlights a sophisticated understanding of regulatory impacts in ransomware strategies.
SEC's Ruling Impact: Since July 26, 2023, the SEC has mandated that public companies disclose significant cyber incidents within four days. BlackCat, known for their Ransomware as a Service (RaaS) model, is exploiting this rule. They recently claimed to have extracted sensitive data on November 7, 2023, necessitating a report by November 11 under SEC regulations. BlackCat's strategy includes a 24-hour ultimatum for ransom payment, intensifying pressure on the victim.
BlackCat's Evolving Tactics: Already notorious for triple extortion tactics, BlackCat's strategies range from encryption and DoS attacks to data theft and threats of public exposure. This new method of filing reports to the SEC on behalf of their victims is a clever yet alarming escalation in their extortion playbook.
Understanding the SEC Rule: The SEC rule requires businesses to disclose the nature, scope, and timing of a cyberattack, along with its potential impact. This new strategy by BlackCat underscores the necessity for companies to be vigilant and proactive in their cybersecurity measures.
The Upshot: Ransomware gangs will use—any—pressure tactic to get money out of their victims. An ounce of prevention is worth a pound of cure. Train your workforce.