A notorious ransomware group filed a complaint with the U.S. Securities and Exchange Commission (SEC) after one of its alleged victims reportedly failed to disclose their breach.
In a post to the dark web on Wednesday, ALPHV, the cybercrime gang also referred to as BlackCat, claimed it hacked the software company MeridianLink and threatened to make their data public unless a ransom was paid.
That same day, ALPHV took its coercion one step further by announcing that it alerted the SEC to the breach. ALPHV cited new SEC rules that require publicly traded companies to report cyberattacks within four days.
But the new rules, as noted by Reuters, don’t go into effect until Dec. 15. The initial breach of MeridianLink, according to comments given to DataBreaches.net by an ALPHV representative, took place on Nov. 7.
ALPHV further stated that MeridianLink appears to have reached out, “but we are yet to receive a message on their end” to discuss whether a payment will be made to stop the leak of data.
Numerous screenshots of the FEC portal where the complaint was made were also shared by ALPHV.
“The recent adoption of SEC rules mandates public companies to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K within four business days of determining such incidents to be material,” the group wrote on its blog. “Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago.”
While many have called the move unprecedented, Brett Callow, threat analyst for the cybersecurity firm Emsisoft, notes that at least one other ransomware group claimed it would do the same in the past.
In remarks to the Daily Dot, Callow argued that ALPHV’s tactic was unlikely to convince MeridianLink to pay any ransom.
“This was a miscalculation by ALPHV. It’ll not make companies more likely to pay, but it may make them more likely to comply—especially after the Sullivan case,” Callow said.
The Sullivan case refers to the conviction earlier this year of former Uber CSO Joseph Sullivan, who was sentenced to three years probation after concealing a ransomware attack against the company in 2016 while it was under investigation by the Federal Trade Commission.
“Execs likely wouldn’t want ALPHV to be able to hold a failure to report over their heads as it’d open the door to a second round of extortion,” Callow added.
As of now, it remains unclear if ALPHV will release the alleged data. In a statement to DataBreaches.net, MeridianLink did confirm that it had “identified a cybersecurity incident” but claimed it had “identified no evidence of unauthorized access to our production platforms.”
An investigation by MeridianLink into the purported breach is ongoing.