The notorious ALPHV/BlackCat ransomware syndicate has taken an unprecedented step by lodging a formal complaint with the U.S. Securities and Exchange Commission, targeting MeridianLink. This notable software provider, integral to financial institutions like banks and credit unions, now faces allegations of not reporting a cyberattack within the required four-day window.
The plot thickens as MeridianLink’s dilemma is publicly exposed on the ransomware group‘s data leak website. ALPHV has set a tight deadline, demanding a ransom from MeridianLink within just 24 hours to avert the release of what they claim to be stolen data. This turn of events in the MeridianLink breach narrative represents a significant ramp-up in ransomware tactics, underscoring an increasing trend of cybercriminals boldly challenging large, publicly traded enterprises.
New details emerged about the MeridianLink breach
Peering further into the complexities of the MeridianLink breach, new details emerge, painting a picture of an unconventional cyberattack. According to DataBreaches.net, ALPHV, also operating under the alias BlackCat, asserts they penetrated MeridianLink’s network back on November 7. Veering off the usual ransomware path, they claim to have extracted sensitive data instead of the standard practice of encrypting company systems.
Adding an unexpected twist, ALPHV revealed that though there seemed to be initial outreach from MeridianLink, this did not evolve into meaningful negotiations over the alleged stolen data. This lack of communication might have triggered the hackers to shift gears, adopting a more confrontational approach. Their next move was to file a complaint with the U.S. Securities and Exchange Commission (SEC), accusing MeridianLink of not disclosing a cybersecurity incident that affected crucial customer and operational data.
To bolster their allegations, ALPHV posted a screenshot on their site, showing a completed form on the SEC’s Tips, Complaints, and Referrals portal. They communicated to the SEC, describing the situation as a “significant breach” and alleging that MeridianLink failed to meet the disclosure obligations as required in Form 8-K, under Item 1.05.
This scenario fits into a larger pattern of rising cybersecurity threats, like the MeridianLink breach, across the U.S. Reacting to this uptick in incidents, the SEC has rolled out new rules, compelling publicly traded companies to swiftly report cyberattacks that have a material impact. The MeridianLink case not only showcases the evolving strategies of ransomware groups but also emphasizes the growing need for prompt and clear disclosure in such incidents.
Yet, the MeridianLink breach scenario is further complicated by a crucial timing element. In a report from early October, Reuters pointed out that the new SEC cybersecurity rules are scheduled to come into effect on December 15, 2023. This timing adds an intriguing twist to the already complex MeridianLink case.
Adding to the unfolding drama, ALPHV has taken the step of displaying the SEC’s confirmation of their complaint against MeridianLink on their website. This action is a deliberate move by the ransomware group to validate their SEC submission and to show that their tactics have real-world impacts, extending into the realm of regulatory compliance. This development in the MeridianLink breach not only intensifies the situation but also highlights the bold strategies cybercriminals are employing.
Moving forward in the MeridianLink breach narrative, the company has now confirmed the cyberattack. Speaking with BleepingComputer, MeridianLink outlined its immediate measures to mitigate the threat, emphasizing the rapid deployment of containment strategies and the engagement of external cybersecurity experts for an in-depth investigation.
MeridianLink is actively evaluating the extent to which consumer personal information may have been affected by this cyberattack. The company has committed to notifying any individuals whose personal data may have been compromised.
In a statement meant to provide assurance, MeridianLink stated, “Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” This comment seeks to reassure stakeholders about the control and minimal impact of the situation.
This development represents a pivotal moment in the evolving tactics of ransomware and extortion. While threats to report breaches to the SEC have been made by cybercriminal groups in the past, the MeridianLink incident could be the first where such a report is publicly confirmed. Traditionally, ransomware groups have exerted pressure through tactics like informing customers of the breach or directly intimidating the victim. ALPHV’s decision to file a complaint with the SEC marks a significant shift towards more formal and assertive strategies in the realm of cyber extortion.
Images used in this post are courtesy of BleepingComputer.