Ransomware gang files SEC complaint over undisclosed breach
BlackCat threw toys out of pram after victim ignored ransom demand
In a surprise turn, the AlphV/BlackCat ransomware group has filed a complaint against an alleged victim with the US Securities and Exchange Commission, for not following the four-day deadline to reveal a cyberattack.
The ransomware gang listed software company MeridianLink on its hack site, threatening to leak the stolen data unless MeridianLink paid a ransom within 24 hours.
MeridianLink is a publicly traded company that provides digital solutions for financial organisations such as banks, credit unions, and mortgage lenders. The gang claims to have breached the company's network on 7th November.
AlphV says it exfiltrated files rather than encrypting them, and that MeridianLink was aware of the attack the day it happened.
The gang added, "It appears MeridianLink reached out, but we are yet to receive a message on their end [with an intent to negotiate payment]."
That lack of response prompted the attackers to pressure the company by filing an official complaint with the SEC.
The incident has had a material impact on "customer data and operational information," as per AlphV, which under new SEC rules means it must be reported to the regulator.
The gang even posted a screenshot of the complaint it lodged on its website, stating that MeridianLink suffered a "significant breach" and did not disclose it as required in Form 8-K, under Item 1.05.
However, while amusing, the gang has got its facts wrong: the SEC's new cybersecurity rules about disclosures aren't set to take effect until 15th December 2023. Until that time, there is no four-day deadline.
MeridianLink said that, after identifying the incident, it acted "immediately" to contain the threat and engaged a team of third party experts to investigate. The company is still investigating if any consumer's personal information has been compromised.
MeridianLink said: "Based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption."
Bad actors have put pressure on victims in the past by contacting customers to let them know of the intrusion. However, while threats to contact regulators have been made before, this may be the first publicly confirmed incident of them doing so.