In a bold move, the ALPHV/BlackCat ransomware group has escalated its tactics, filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink, a digital solutions provider for financial institutions. The ransomware actors accuse MeridianLink of failing to disclose a cyberattack within the stipulated four business days, as required by the SEC’s new rules.
The saga began when ALPHV targeted MeridianLink’s network on November 7, stealing company data without encrypting systems. The ransomware group claims that despite the breach, MeridianLink did not initiate communication for ransom negotiation. In response to this alleged silence, ALPHV listed MeridianLink on its data leak site, threatening to expose the stolen data unless a ransom was paid within 24 hours.
To intensify the pressure, ALPHV took an unprecedented step by submitting a complaint to the SEC, asserting that MeridianLink failed to disclose a “significant breach” in accordance with SEC guidelines. Screenshots of the submitted complaint were posted on ALPHV’s website to validate their action.
MeridianLink, a publicly traded company, confirmed the cyberattack but denied commenting on the ransomware gang’s assertions or the SEC report. The company stated that it immediately responded to contain the threat and engaged third-party experts for an investigation. As of now, MeridianLink claims no evidence of unauthorized access to production platforms, with minimal business interruption.
Notably, the SEC’s new rules on cybersecurity incident reporting are set to take effect on December 15, 2023. ALPHV’s complaint, therefore, precedes the formal implementation of these rules, creating a unique situation for both the ransomware group and its victim.
Experts, such as Guillermo Christensen from law firm K&L Gates, view this move by ALPHV as a strategic evolution in ransomware tactics to increase pressure on victims. The group’s willingness to involve regulatory bodies signifies a shift in the landscape of cyber extortion.
This incident marks another chapter in ALPHV’s notorious cybercrime activities. The group gained notoriety for a social engineering attack on MGM Resorts in September. As the cybersecurity community grapples with these evolving tactics, it raises critical questions about the preparedness of organizations facing increasingly audacious ransomware threats.