One of the more bizarre actions in cyber-attacks happened this week. The US Securities and Exchange Commission recently made a new rule that if you are a publicly traded company, that you have to report cyberattacks within 4 days. One ransomware operation filed a complaint with the SEC against one of their victims, MerdianLink, for not reporting the hack. They combined that along with a threat of release of customer data if not paid within 24 hours. This brings the game to a new level, and while surprising, I expect it will bring many more similar threats.

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.