Ransomware gang complains to SEC that victim didn’t report data breach

ALPHV/BlackCat group specializes in creative ways of embarrassing victims into paying ransoms

A prominent ransomware gang with an innovative approach to extortion is trying to use the SEC’s new cybersecurity rule as leverage to force one of its victims to pay up.

The gang is ALPHAV, a high-profile ransomware-as-a-service cartel that managed to penetrate the security of $1.5bln digital-lending platform provider MeridianLink on Nov. 7 and stole sensitive data that the gang threatened to make public if MeridianLink didn’t agree to pay a ransom within 24 hours, according to someone connected with the attack told writers for the security site databreaches.net.

MeridianLink didn’t reply and didn’t say anything public about the attack.

So ALPHV – which knew that the new SEC cybersecurity rule required that companies report any material breach within four days and wanted to ramp up the pressure on a victim that was ignoring its demand for payment – reported MeridianLink to the SEC for not having reported the breach.

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” ALPHV wrote in a complaint to the SEC that was reposted to X, formerly Twitter.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

MeridianLink did respond once news of the attack was made public, but not to ALPHV, which is one of three major ransomware gangs responsible for attacks on more than 1500 companies worldwide during the first half of 2023, according to a mid-year threat report from security firm Rapid7.

MeridianLink posted a pair of notices on its web site acknowledging the attack, which it discovered Nov. 10, but said the breach didn’t cause it any problems.

“Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” the first update read.  it said left “no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”

A Nov. 20 update said the MeridianLink security response team “identified a threat actor’s improper access to one non-privileged user’s account and removed the threat actor’s access promptly.

“Our forensic investigation confirms that the threat actor did not access MeridianLink’s networks, servers, databases, integrations, or any part of our customer product platforms. Further, no ransomware or malware was deployed on MeridianLink’s network.”

The move appears to be the first effort by cybercrime consortia to use the SEC as muscle, but ransomware attackers frequently attempt to force victims to respond using techniques much more sophisticated than simply a threat to encrypt a company’s data and not allow access until a ransom is paid.

The SEC’s new cybersecurity rule does require that a company report material breaches within four days, but the time limit is four days after the company determines the breach would have a material impact, not four days after the attack.

And it doesn’t go into effect until Dec. 15, though any attack that would have a material impact on the company’s ability to operate would have to be reported on an 8-K form anyway, SEC chair Gary Gensler said during the July 26 meeting at which the rule was finalized.

If damage from the attack was not serious, as MeridianLink’s post asserts, there is no obligation under the new rule to report the attack.

That doesn’t mean the company is necessarily off ALPHV’s hook, however.

ALPHV is a serious player in a multilayered, highly specialized and demarcated community of crackers and data thieves who compete with other gangs within their own specialty and hire groups with other specialized skills when they need something done they can’t do themselves – just as any company would do in the legitimate economy.

ALPHV, which claims responsibility for a September attack on MGM Resorts International, according to a Wall Street Journal story that estimated the casino giant’s refusal to pay could end up costing it $100m during the third quarter.

Last December the group, “which is known for testing new extortion tactics as a way to pressure and shame their victims into paying,” cloned much of the web site of one victim in the financial-services business, according to a January story in BleepingComputer. The attackers hid the clone on a data-leak site within the encrypted, protected TOR network, then moved the clone onto a publicly available site to embarrass the victim, who refused to pay the ransom.

In July it was reported to have built a special data-extraction API into the malware it uses to breach the security of victims, to help automate the extraction of stolen data, or make it possible to sell the function to other attackers who might hire ALPHAV to crack a site someone else planned to exploit.

ALPHV has also modified Google Ads and other common web applications into malvertising software designed to create entry points, according to a detailed analysis of the group’s background and methods on the security analysis site eSentire. The group lists 170 victims on its name-and-shame page, including McClaren Health Care, the hotel chain MotelOne and the Lehigh Valley Health Network, which it tried to pressure into paying ransom by posting radiological imagery and clinical photos of breast-cancer patients labeled “nudes” or “topless photos.”

It also has ties to to several leading cybercrime groups, for which it often acts as an “initial access provider,” according to eSentire, which refers to the group as “ruthless and despicable.”