Black Cats & Ransomware

Ransomware group, ALPHV/BlackCat has filed a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day cyberattack disclosure rule.

ALPHV listed software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

ALPHV have stated that they breached MeridianLink’s network on the 7th November 7, stealing company data; they also stated that MeridianLink had contacted them but to date have not negotiated a payment to prevent the leak of stolen data.

It appears that the lack of cooperation from MeridanLink prompted ALPHV to increase pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC), reporting MeridianLink for not disclosing a cybersecurity incident impacting “customers data and operational information.”

ALPHV published a screenshot of Form 8-K they completed on?SEC’s Tips, Complaints, and Referrals page, reporting that MeridianLink had suffered a “significant breach” which it ?did not disclose, as required under SEC rules. They have also published an acknowledgment from SEC, proving that their submission was received. While cyber criminals have threatened this previously, this is thought to be the first time a ransomware gang has actually reported a victim’s breach to the SEC.

SEC’s new cybersecurity rules will take effect on 15th December 2023,?and state that Cybersecurity incident reporting is “due four business days after a registrant determines that a cybersecurity incident is material,”.

MeridianLink who provide digital solutions to banks and other financial services institutions, has published a statement confirming the attack and said that once the incident had been identified it acted immediately to contain it, and an investigation is ongoing to determine if clients’ personal information was compromised. They also reported that there is no clear “evidence of unauthorised access” to their production platforms, and there has been “minimal business interruption”.

So, it appears that the SEC has unwittingly become another tool in the ransomware arsenal to be used against those organisations who fail to notify regulatory bodies if systems have been breached and personal data put at risk. It has even been suggested that attacks of this nature followed by publication of data, or as in this case referral to the SEC, could be used to short stocks on the victim organisation, thus providing another income for the cyber-criminals. How long before we see a similar action leveraging the ICO in the UK?