ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC

ALPHV Ransomware Gang Reports MeridianLink to SEC
Ransomware operators made use of the recent law to force the victim to pay the ransom

Ransomware Gang ALPHV Takes Unprecedented Step: Files SEC Complaint Over Alleged Victim’s Undisclosed Breach. And no, this is not a joke from ChatGPT. Hackers from BlackCat/ALPHV group found yet another way to make the victim pay the ransom.

ALPHV Files SEC Compliant

The ALPHV/BlackCat filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink. Just so you know, ALPHV is a ransomware group, and MeridianLink is their victim. The complaint alleges that the victim failed to comply with the four-day rule for disclosing a cyberattack, raising the stakes in the ongoing battle between hackers and targeted organizations.

SEC form screenshot
TA reported the SEC

The threat actor previously listed MeridianLink, a software company, on their data leak platform. An ultimatum accompanied it – the alleged stolen data would be leaked unless a ransom was paid within 24 hours. MeridianLink, a publicly traded company specializing in digital solutions for financial institutions, banks, credit unions, and mortgage lenders, was thrust into the spotlight of a high-stakes cyber confrontation.

SEC Rules and Cybersecurity Reporting

In response to an increased number of security incidents in U.S. organizations, the SEC recently introduced new rules. It requires publicly traded companies to promptly report cyberattacks with material impacts on investment decisions. The reporting deadline is set at four business days after determining the incident’s materiality. According to reports, the ALPHV ransomware gang claimed to have breached MeridianLink’s network on November 7, emphasizing that they stole company data without encrypting systems.

However, it allegedly received no response from MeridianLink regarding negotiation for the stolen data, so the ransomware group decided to surprise everyone. They filed a complaint with the SEC and published a screenshot of the complaint submission on the SEC’s official platform. The complaint accuses MeridianLink of failing to disclose a cybersecurity incident involving “customer data and operational information”. However, they did not take into account one little thing. These rules are slated to take effect on December 15, 2023, as explained by Reuters in October.

The automated SEC receipt for the complaint submission screenshot
The automated SEC receipt for the complaint submission

Will Ransomware Groups Report to the SEC in the Future?

Ransomware and extortion groups have previously threatened to report breaches to the SEC. However, the MeridianLink hack marks a public confirmation that such a report has been filed now. The course of actions raises questions about the evolving dynamics between hackers and victims as the ALPHV ransomware group desperately moves to utilize regulatory channels to exert pressure on their targeted organization. The incident also underscores Russian hackers’ ongoing challenges with profiting from victims through heightened regulatory scrutiny.

But the question persists – will this tactic be used more and more often in future? Well, the answer is yes and no at the same time. Thing is, the vast majority of ransomware victims are small companies, too small to go public by the rules set by the SEC. Thus, 70-80% of the ransomware attacks will not have such powerful pressure points. Other ones may still be avoided – there are enough bureaucratic tricks present in the document that backs the new SEC demand.

ALPHV/BlackCat Ransomware Reports MeridianLink Hack To SEC

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *