Change of tactics: ALPHV reports target to SEC for failing to disclose breach


In what’s probably a first, the ALPHV/BlackCat ransomware gang has filed a US Securities and Exchange Commission (SEC) complaint against one of their alleged victims. Experts say this is a worrying trend.

Earlier this week, ALPHV listed the software company MeridianLink on their data leak site with the usual threat that the stolen information will be made public unless a ransom is paid in 24 hours.

The attack happened on November 7th. According to ALPHV, they did not encrypt any files but did exfiltrate them. However, it seems that MeridianLink, a firm providing digital solutions for financial organizations, didn’t respond – at least in the way the hackers wanted.

ADVERTISEMENT

Taking it to another level

The collective admitted on their website that “MeridianLink reached out,” but added: “We are yet to receive a message on their end.” Presumably, ALPHV wanted to see a willingness to negotiate a ransom payment.

No such message was received, so the crooks decided to take things to a new level. ALPHV said they sent a complaint to the SEC about MeridianLink not disclosing a cybersecurity incident that impacted customer data and operational information.

“The recent adoption of SEC rules mandates public companies to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K within four business days of determining such incidents to be material. Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago,” ALPHV explained.

“We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission.”

To demonstrate that the complaint is real, ALPHV posted a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

screenshot-blackcat2
ALPHV posted a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page. Image by Cybernews.

MeridianLink promptly confirmed the cybersecurity incident and said it had acted immediately to contain the threat. Third-party experts have been engaged to investigate the incident but the firm has allegedly identified no evidence of unauthorized access to the production platforms.

ADVERTISEMENT

Treading carefully advised

Reporting its own victim to the SEC is a brazen move by ALPHV – but they just took the next logical step, says Jake Williams, former US National Security Agency hacker. According to Williams, as more organizations have established better response plans for recovering from a ransomware attack, cybercriminals have had to change their tactics to incentivize victims to pay.

“By reporting their own intrusion to the SEC, BlackCat took the next logical step in incentivizing extortion payments by directly notifying a regulator of a victim who had failed to notify themselves. We should expect that other cybercriminal groups will take similar measures with the SEC,” said Williams.

In this specific case, the problem for ALPHV is that the SEC’s new rules that require publicly traded companies to report cyberattacks that have a material impact are set to take effect on December 15th. In essence, MeridianLink had every right to stall.

Still, Williams says that ALPHV “has opened Pandora's box” and that “it's clear we've entered the age of criminals weaponizing regulators against compromised organizations.”

sec-filing-blackcat
ALPHV posted a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page. Image by Cybernews.

“Whether these reports are simply used to enforce standards or used to further victimize these organizations will be entirely up to regulators. The cybercriminals are watching, regulators need to tread very carefully,” said the expert.

Ariel Parnes, chief operating officer and co-founder at Mitiga, a cybersecurity company, even calls such moves “psychological operations.” He thinks that the new SEC rules have actually given attackers more incentive to use psyops because they “add a layer of urgency and public scrutiny, making them a potent tool for attackers.”

“By filing an SEC complaint against MeridianLink for not complying with the disclosure rule, ALPHV has sophisticatedly integrated legal and regulatory frameworks into their psychological warfare strategy,” said Parnes.

“This approach intensifies the pressure on the victim, showcasing a worrying trend where cybercriminals use legal and regulatory mandates to amplify their attacks.”

ADVERTISEMENT