Ransomware Gang ALPHV Takes Unprecedented Step: Files SEC Complaint Over Alleged Victim’s Undisclosed Breach. And no, this is not a joke from ChatGPT. Hackers from BlackCat/ALPHV group found yet another way to make the victim pay the ransom.
ALPHV Files SEC Compliant
The ALPHV/BlackCat filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink. Just so you know, ALPHV is a ransomware group, and MeridianLink is their victim. The complaint alleges that the victim failed to comply with the four-day rule for disclosing a cyberattack, raising the stakes in the ongoing battle between hackers and targeted organizations.
The threat actor previously listed MeridianLink, a software company, on their data leak platform. An ultimatum accompanied it – the alleged stolen data would be leaked unless a ransom was paid within 24 hours. MeridianLink, a publicly traded company specializing in digital solutions for financial institutions, banks, credit unions, and mortgage lenders, was thrust into the spotlight of a high-stakes cyber confrontation.
SEC Rules and Cybersecurity Reporting
In response to an increased number of security incidents in U.S. organizations, the SEC recently introduced new rules. It requires publicly traded companies to promptly report cyberattacks with material impacts on investment decisions. The reporting deadline is set at four business days after determining the incident’s materiality. According to reports, the ALPHV ransomware gang claimed to have breached MeridianLink’s network on November 7, emphasizing that they stole company data without encrypting systems.
However, it allegedly received no response from MeridianLink regarding negotiation for the stolen data, so the ransomware group decided to surprise everyone. They filed a complaint with the SEC and published a screenshot of the complaint submission on the SEC’s official platform. The complaint accuses MeridianLink of failing to disclose a cybersecurity incident involving “customer data and operational information”. However, they did not take into account one little thing. These rules are slated to take effect on December 15, 2023, as explained by Reuters in October.
Will Ransomware Groups Report to the SEC in the Future?
Ransomware and extortion groups have previously threatened to report breaches to the SEC. However, the MeridianLink hack marks a public confirmation that such a report has been filed now. The course of actions raises questions about the evolving dynamics between hackers and victims as the ALPHV ransomware group desperately moves to utilize regulatory channels to exert pressure on their targeted organization. The incident also underscores Russian hackers’ ongoing challenges with profiting from victims through heightened regulatory scrutiny.
But the question persists – will this tactic be used more and more often in future? Well, the answer is yes and no at the same time. Thing is, the vast majority of ransomware victims are small companies, too small to go public by the rules set by the SEC. Thus, 70-80% of the ransomware attacks will not have such powerful pressure points. Other ones may still be avoided – there are enough bureaucratic tricks present in the document that backs the new SEC demand.