ALPHV, also known as “BlackCat” attacked MeridianLink back on November 7, 2023. After figuring out that ML did not report the attack under the new SEC guidelines, and in an effort to extort more money from ML, sent a screenshot of the SEC form that the attack is supposed to be submitted on and claimed that ML “failed to file the requisite disclosure.”
https://www.darkreading.com/risk/alphv-ransomware-group-files-sec-complaint-against-own-victim
It’s very rare that a ransomware group purposefully tells on themselves after engaging in a cyber-attack. In a weird twist, though, that’s exactly what the ALPHV group did. ALPHV, also known as “BlackCat” attacked MeridianLink back on November 7, 2023. MeridianLink is a financial software company that provides certain tools to banks, credit unions, mortgage lenders and consumer reporting agencies within the United States.
A little bit of background for this to make sense. MeridianLink is a publicly traded company and falls under SEC reporting guidelines. Back in July of 2023, the SEC approved new rules that require companies to disclose cybersecurity incidents. The disclosure would need to state the nature, scope and timing of the attack and is supposed to be filed within four days of the company deciding that the attack was “material” to the company and its investors (was the data compromised material to the company). The only reason to not report the incident within the timeframe is if it would threaten national security or public safety.
BlackCat, after figuring out that ML did not report the attack, sent a screenshot of the SEC form that the attack is supposed to be submitted on and claimed that ML “failed to file the requisite disclosure.” Talk about a risky move!
So, why did BlackCat do this? The main reason it was done was to try and increase their chances of ML paying the ransom. However, no one is sure what, if anything, the SEC will do to ML for failing to disclose the attack. The disclosure required by the SEC doesn’t even take effect until December 15, 2023. Further, it is up to ML to decide if the attack was material enough to even report and to date, ML doesn’t believe that the data breached wasn’t significant and that the company’s business operations were minimally interrupted. In the future, though, under the new SEC guidelines, if a company doesn’t report an attack, the SEC could take discipline action against the company and levy additional fines against them. That would mean a double-blow to the company: paying ransomware and then paying the SEC.