Ransomware gang files SEC complaint about victim
In what seems to be a new twist on the ransomware theme, the notorious ALPHV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) about the software company MeridianLink.
ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in ourĀ monthly ransomware reviews. MeridianLink supplies ādigital lending solutionsā to banks, credit unions, fintechs, and other financial institutions.
Since September 5, 2023 the SEC has required public companies to disclose within four days all cybersecurity breaches that could impact their bottom lines. Apparently ALPHV is aware of the new rules and in this screenshot of the SEC complaint form it wrote:
āWe want to bring to your attention a concerning issue regarding MeridianLinkās compliance with the recently adopted cybersecurity incident disclosure rules.
It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.ā
The referenced item (Form 8-K Item 1.05) states:
āRegistrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:
ā Nature, scope, and timing; and
ā Impact or reasonably likely impact.
An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (āAttorney Generalā) determines immediate disclosure would pose a substantial risk to national security or public safety.
Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. ā
As you can see, there are possible exceptions and for all we know, the investigation into the nature and gravity of the data breach is still ongoing. Or far from as material as ALPHV wants us to believe.
In a statement to databreaches.net MeridianLink said:
āSafeguarding our customersā and partnersā information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.
We have no further details to offer currently, as our investigation is ongoing.ā
Apparently the ransomware operators like to pretend that what they are doing is their civic duty. This tile is posted on the landing page of the gangās leak site.
Clicking through, we found the screenshot of the form and a non-explanatory statement why they filled the form out.
āDespite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago. We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC). It appears MeridianLink reached out, but we are yet to receive a message on their end. Maybe this was their DFIR, Mandiant, who did so without authorization from their client. Whatever the reason isā¦..we are giving you 24 hours before we publish the data in its entirety.ā
Whatever the reason is behind MeridianLinkās apparent decision not to report the cyber-incident (yet), the action taken by ALPHV certainly is something we havenāt seen before. It may be a warning or an attempt to gain extra leverage. Knowing how hard it can be to determine the scope of a cyberattack in just a few days, we can expect to see this happen more often.