ALPHV/BlackCat Ransomware Group Lodges SEC Complaint Against MeridianLink

The infamous ALPHV/BlackCat ransomware group has taken a novel approach to coercion. The syndicate has submitted a complaint to the U.S. Securities and Exchange Commission (SEC) against MeridianLink, one of its alleged targets. This action follows the group’s accusation that MeridianLink failed to adhere to the SEC’s four-day rule for disclosing a cyberattack.

Targeting MeridianLink

MeridianLink, a publicly traded software enterprise, is the victim of the ransomware assault by ALPHV. MeridianLink specializes in digital solutions for financial entities, including banks, mortgage lenders, and credit unions. The hackers assert that they infiltrated MeridianLink’s network on November 7 and stole sensitive company data without encrypting systems.

Informing the SEC

As per reports from DataBreaches.net, the ALPHV ransomware collective claimed that MeridianLink did not respond to negotiation attempts for a ransom payment within the specified 24-hour time frame. And, in reaction to what they perceived as non-compliance, the hackers escalated the pressure by officially filing a complaint with the SEC.

ALPHV’s complaint alleges that MeridianLink neglected to disclose a substantial cybersecurity incident affecting customer data and operational information. To further substantiate their claim, ALPHV published a screenshot of the filed complaint through the SEC’s Tips, Complaints, and Referrals page on their website. The attackers told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.

SEC Regulations and Timelines

Citing the SEC’s forthcoming rules, the ransomware group asserted that publicly traded companies must report cyberattacks with a material impact within four business days. This includes incidents influencing investment decisions. ALPHV accused MeridianLink of failing to comply with these regulations and released the response they received from the SEC, confirming the reception of their complaint.

However, the new SEC cybersecurity regulations are slated for implementation from December 15, 2023, onwards, much later after the purported breach at MeridianLink occurred,

MeridianLink’s Statement

Responding to the allegations, MeridianLink issued a statement to BleepingComputer. The company confirmed that immediate action was taken to contain the threat upon identifying the incident. They engaged a team of third-party experts to conduct a comprehensive investigation. MeridianLink also conveyed that they are actively working to ascertain if any consumer personal information was impacted by the cyberattack and pledged to notify affected parties accordingly.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” stated MeridianLink.

Unconventional Tactics in Ransomware Incidents

While it is customary for ransomware groups to threaten victims with reporting breaches to the SEC, the incident involving MeridianLink signifies a noteworthy departure. Ransomware groups typically exert pressure by contacting customers or directly intimidating the victims. However, ALPHV’s decision to formally file a complaint with the SEC marks a novel and audacious approach in the realm of cyber extortion.

As the cybersecurity landscape evolves, organizations grapple with escalating challenges in safeguarding against sophisticated threats and navigating the intricate terrain of disclosure regulations. The MeridianLink incident underscores the shifting tactics employed by ransomware groups, emphasizing the critical need for robust cybersecurity measures.