Ransomware Group Steps Up Extortion: Files SEC Complaint Over Hidden Data Breach

The ALPHV/BlackCat ransomware syndicate has upped its game by taking an unprecedented step: lodging a formal complaint with the U.S. Securities and Exchange Commission (SEC) against an alleged victim for failing to adhere to the mandatory disclosure timeline following a cyberattack.

The victim in question, was named in the threat actor’s data leak with an ultimatum: pay the demanded ransom within 24 hours or face the potential exposure of purportedly pilfered data.

ALPHV claims to have breached was on November 7, absconding with company data sans encryption. Despite the alleged breach, the ransomware group asserts that MeridianLink failed to engage in negotiations regarding the demanded ransom, precipitating the formal complaint to the SEC.

The crux of the complaint centers on MeridianLink’s purported non-disclosure of a cybersecurity incident that, according to the attackers, compromised both customer data and operational information. The ransomware group bolstered their complaint by publishing a screenshot of the submission made through the SEC’s reporting mechanism, ostensibly to prompt action on the victim’s compliance with disclosure requirements.

However, MeridianLink has countered, asserting their prompt response upon detecting the incident. Engaging third-party experts to investigate, the company is currently evaluating potential impacts on consumer data and pledges to notify affected parties accordingly.

This event spotlights a significant evolution in ransomware tactics, with cybercriminals resorting to formal legal channels such as SEC complaints to exert pressure on victims. Prior tactics involved direct intimidation or reaching out to customers to announce breaches, marking a shift in strategy towards more systemic pressures on non-compliant entities.

The incident occurs against a backdrop of impending SEC regulations mandating prompt disclosure of material cybersecurity incidents by publicly traded companies. Scheduled for enforcement in December 2023, these regulations aim to enhance transparency and accountability in the wake of escalating cyber threats targeting corporate entities.

To mitigate the escalating threats of ransomware gangs resorting to legal maneuvers, organizations must prioritize robust cybersecurity measures. Timely and transparent incident response protocols, bolstered by comprehensive employee training on identifying and thwarting phishing attempts, are critical. Additionally, adherence to regulatory disclosure timelines and regular security assessments can fortify defenses against cyber extortion tactics.