The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.
Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.
MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.
Hackers snitch to the SEC
According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.
The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.
The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”
To show that their complaint is real, ALPHV published on their site a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.
In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.
Following a barrage of security incidents at U.S. organizations, the SEC adopted new rules that require publicly traded companies to report cyberattacks that have a material impact, i.e. influence investment decisions.
Cybersecurity incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material,” the new rule states.
However, the SEC’s new cybersecurity rules are set to take effect on December 15, 2023, Reuters explained at the beginning of October.
ALPHV also provided on their site the reply they received from the SEC to the complaint against MeridianLink, to show that the submission was received.
MeridianLink confirms cyberattack
In a statement for BleepingComputer, MeridianLink said that after identifying the incident it acted immediately to contain the threat and engaged a team of third-party experts to investigate.
The company added that it is still working to determine if any consumer personal information was impacted by the cyberattack and it will notify affected parties if so.
While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so.
Previously, ransomware actors exerted pressure on victims by contacting customers to let them know of the intrusion. Sometimes, they would also try to intimidate the victim by contacting them directly over the phone.