A notorious ransomware gang has filed a “failure to report” complaint against its own victim to the U.S. Securities and Exchange Commission (SEC) after an alleged breach last week. On its website, ALPHV/BlackCat published screenshots of a filled-out form on the SEC’s “Tips, Complaints, and Referrals” page as well as the automated response it received after submitting the form, according to a BleepingComputer's report.
Screenshots of the reported SEC complaint against MeridianLink were posted on Nov. 15 by ALPHV/BlackCat online. The cybergang claims it stole data from digital lending company MeridianLink on Nov. 7. An SEC spokesperson declined to comment in response to an inquiry by SC Media about whether the complaint was received by the agency.
Meanwhile, MeridianLink told SC Media it was the victim of a cyber incident however no user data was breached. Nevertheless, ALPHV/BlackCat alleges it executed a “significant” breach against MeridianLink.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” the hackers wrote.
According to experts, this is the first time hackers have weaponized the SEC complaint system against a victim.
While the SEC adopted new disclosure rules in July, shortening the deadline to disclose certain data breaches, the new rules do not go into effect until mid-December 2023.
"This is an unintended consequence of the SEC ruling," commented Chris Hodson, CSO of data security company Cyberhaven, in a statement for SC Media. "It displays bizarre confluence of criminal audacity and legal manipulation, setting a precedent where cybercriminals don't just carry out breaches, but also exploit legal loopholes. It's a cyber attack with a legal twist, turning the tables on corporate disclosure and redefining the rules of digital extortion."
Firm claims no sensitive data breached
MeridianLink, which provides digital lending and account opening services to financial institutions, responded to ALPHV/BlackCat’s claims in a statement provided to SC Media.
“MeridianLink recently identified a cybersecurity incident. Safeguarding our customers’ and partners’ information is something we take seriously. Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” the statement read.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law,” according to the firm.
The company said it could not provide further details due to its ongoing investigation.
How far will ransomware groups go for money?
On its website, ALPHV/BlackCat threatened to publish MeridianLink’s data within 24 hours of posting the SEC complaint screenshots. A screenshot published by BleepingComputer of the ransomware group’s complaint shows a time stamp of 8:46 p.m. on Nov. 15, although a time zone is not indicated.
The ALPHV/BlackCat cybergang is highly active and known for its aggressive extortion tactics. The group maintains a leak site where it publishes data from victims who do not pay ransom, and earlier this year, it implemented API integration to the site to facilitate greater exposure. In March, the gang published sensitive photos of breast cancer patients from Lehigh Valley Health Network after the organization refused to pay a $1.5 million ransom, a move that highlights the group’s ruthlessness.
John Morello, CTO of cybersecurity solutions company Gutsy, opined that this most recent incident represents a fresh attack angle for ransomware groups and an emerging concern for security professionals.
"It's a daring new attempt to put CISOs' personal liability at play in ransomware negotiations. This clearly shows the SEC's mandate can be weaponized as an additional lever to pressure targets," Morello told SC Media. "Security leaders need to be aware that it's no longer just security best practices but now also federal legal liabilities that govern disclosure decisions and plans."
The 2023 Active Adversary Report for Tech Leaders compiled by Sophos in September identified ALPHV/BlackCat as the second most active ransomware group in both 2022 and the first half of 2023. Most recently the group was fingered by eSentire in a report outlining how the cybergang planted malicious ads on Google search results. The SEC complaint comes after the Federal Bureau of Investigation (FBI), faced criticism from security leaders for failing to arrest ALPHV/BlackCat affiliates involved in a major hack of MGM International and Caesars Entertainment in September. The attacks cost the casino companies more than $100 million, including a $15 million ransom paid by Caesars.