Ransomware Meets Regulation: BlackCat Gang's Attack on MeridianLink

In a surprising twist the week before Thanksgiving, the infamous BlackCat ransomware gang took a bold step by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against one of their victims, MeridianLink. This unprecedented move has raised both eyebrows and questions about the evolving strategies of ransomware actors and the potential implications for both victims and regulatory bodies.

A Pivotal Shift in Tactics

Traditionally, ransomware attacks have involved encrypting or stealing sensitive data, coupled with threats to expose it unless a ransom is paid. However, the BlackCat gang has veered off the beaten path by leveraging regulatory and compliance requirements as an extortion lever. Their complaint alleged that MeridianLink violated the SEC's new cyber incident reporting rules, by not reporting the fact that BlackCat ransomed them within the required four-day period. 

This shift in tactics highlights that the cyber threat landscape is ever-evolving, and threat actors are quick to exploit new avenues to achieve their objectives. BlackCat's move to manipulate regulatory frameworks underscores the need for organizations to be vigilant not only against traditional cyber threats but also against unconventional strategies that threaten their operations and reputation. 

Over the coming months, it will be interesting to see if BlackCat or another gang continues pursuing this extortion line.  If so, what other regulatory frameworks, such as HIPPA, NERC CIP, or even CMMC, will they consider exploiting? 

So, is Compliance the Enemy? 

Regardless of what anyone who’s experienced an audit may tell you (and trust me, I’ve been there), the answer here is a NO – compliance is NOT the enemy. BlackCat's maneuver should NOT be seen as an indictment of regulatory frameworks. Rather, it should emphasize the need for lawmakers to anticipate and guard against potential abuses of their regulations. Additionally, it should highlight that regulatory frameworks MUST clearly define what a company needs to do and when it needs to be done to comply. The more ambiguous a requirement is, the more leeway there is for potential abuse.

Companies, in turn, must prioritize understanding and adhering to their compliance responsibilities. This will bolster their cyber defenses and mitigate the risk of falling victim to such tactics. After all, if you understand your compliance responsibilities and meet them fully, extortion based on non-compliance cannot exist. Ultimately, the fight against cyber threats requires a collaborative effort. Organizations, lawmakers, and cybersecurity professionals must work together to create a resilient defense.