A prolific ransomware group appears to have reported one of its victims to the US Securities and Exchange Commission (SEC), in a bid to pressure payment.
BlackCat/ALPHV said it compromised digital lending solutions provider MeridianLink on November 7, but the firm refused to engage with it despite the group claiming to have exfiltrated sensitive data.
However, BlackCat appears to have upped the ante by trying to take advantage of new SEC rules which require disclosure of breaches with “material impact” within four days.
According to screenshots posted to X (formerly Twitter) by MalwareHunterTeam, the threat actors filed with the SEC’s “Tips, Complaints, and Referrals” site.
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” the complaint read.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
The group then gave its victim 24 hours to pay a ransom or risk a full leak of the stolen data.
However, the move by BlackCat may be intended more as a warning to other victims than a genuine attempt to pressure MeridianLink into paying. The new SEC reporting rules don’t officially kick in until December 15 this year.
ImmuniWeb chief architect, Ilia Kolochenko, warned that disclosures to regulatory agencies in the US and EU could become more frequent going forward, increasing the jeopardy for publicly listed firms.
“Victims of data breaches should urgently consider revising their digital forensics and incident response (DFIR) strategies by inviting corporate jurists and external law firms specialized in cybersecurity to participate in the creation, testing, management and continuous improvement of their DFIR plan,” he argued.
“Many large organizations still have only technical people managing the entire process, eventually triggering such undesirable events as criminal prosecution of CISOs and a broad spectrum of legal ramifications for the entire organization. Transparent, well-thought out and timely response to a data breach can save millions.”
A MeridianLink statement republished on X claimed that the firm discovered an incident on November 10 and “acted immediately to contain the threat.”
It added that the threat actors did not access production platforms and that the incident “caused minimal business interruption.”