ALPHV ransomware files SEC complaint on company for not disclosing breach

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

Hackers snitch to the SEC

According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.

The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”

ALPHV ransomware irritated by MeridianLink's silence
ALPHV ransomware irritated by MeridianLink's silence
source: BleepingComputer

To show that their complaint is real, ALPHV published on their site a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.

ALPHV ransomware SEC complaint against MeridianLInk
ALPHV ransomware SEC complaint against MeridianLInk
source: BleepingComputer

Following a barrage of security incidents at U.S. organizations, the SEC adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions.

Cybersecurity incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material,” the new rule states.

However, the SEC’s new cybersecurity rules are set to take effect on December 15, 2023, Reuters explained at the beginning of October.

ALPHV also provided on their site the reply they received from the SEC to the complaint against MeridianLink, to show that the submission was received.

Automated reply from SEC to ALPHV complaint against MeridianLInk
Automated reply from SEC to ALPHV complaint against MeridianLInk
source: BleepingComputer

MeridianLink confirms cyberattack

In a statement for BleepingComputer, MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.

The company added that it is still working to determine if any consumer personal information was impacted by the cyberattack and it will notify affected parties if so.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” - MeridianLink

While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so.

Previously, ransomware actors exerted pressure on victims by contacting customers to let them know of the intrusion. Sometimes, they would also try to intimidate the victim by contacting them directly over the phone.

Related Articles:

ALPHV ransomware claims loanDepot, Prudential Financial breaches

Johnson Controls says ransomware attack cost $27 million, data stolen

MGM Resorts ransomware attack led to $100 million loss, data theft

Fidelity National Financial: Hackers stole data of 1.3 million people

MGM casino's ESXi servers allegedly encrypted in ransomware attack