Unprecedented Ransomware Tactics: ALPHV/BlackCat Files SEC Complaint Against MeridianLink
The cybercriminal group ALPHV/BlackCat has innovated extortion methods by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink. The hackers accused the company of failing to comply with the four-day deadline for officially disclosing information about a cyberattack.
Under new SEC rules, publicly traded companies must report cyberattacks with material consequences, i.e., those impacting investment decisions. However, these rules only come into effect on December 15, 2023.
MeridianLink, a publicly traded company specializing in digital solutions for financial organizations and banks, was listed in ALPHV’s data breach compilation. The criminals threatened to disclose the stolen data unless a ransom was paid within 24 hours.
According to DataBreaches.net, ALPHV claims to have penetrated MeridianLink’s network on November 7 and stolen data without resorting to system encryption. The group cited a lack of response from the company regarding ransom negotiations, presumably prompting their SEC complaint.
In the complaint to the SEC, it’s stated that MeridianLink failed to disclose a significant cybersecurity breach as required by law. To substantiate their actions, ALPHV published a screenshot of the filled complaint form on the SEC website on their site.
MeridianLink confirmed the cyberattack to BleepingComputer and stated that measures were taken to contain the threat immediately after its detection, involving external experts for investigation. The company also reported working to determine if consumer personal data were affected and prepared to notify the relevant parties if necessary. The company claims there’s no evidence of unauthorized access to production platforms, and the cyberattack caused minimal operational disruptions.
This incident may represent the first publicly acknowledged case where a ransomware group directly approached the SEC. Previously, ransomware groups limited themselves to threats of contacting regulatory bodies or informing the victims’ clients about the breach.