One of the most active ransomware groups in the world has adopted an unethical—if not unexpected—strategy to force one of its victims to pay: reporting the victim to the US Securities and Exchange Commission.
The hacking process came to light in a post published Wednesday on the dark web operated by AlphV, a ransomware crime syndicate that has been operating for two years. After initially claiming to have breached the network of the public digital lending company MeridianLink, AlphV employees posted a screenshot of a complaint and said it was filed with the SEC through the agency’s website. Under a soon accepted the law that goes into effect next month, publicly traded companies must submit an SEC disclosure within four days of learning of a security event that has a “material” effect on their business.
“We would like to bring to your attention an issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” AlphV officials wrote in the complaint. “It has come to our attention that MeridianLink, in light of a major breach that compromised customer data and operational information, has failed to file the disclosure required under section 1.05 of form 8-K within the scheduled four business days, as authorized by the new SEC Rules.”
The crime category designated in the online report is “material misrepresentation or omission from company records or financial statements or failure to file.”
Thursday’s dark web post also includes what appears to be an automated response received from the SEC acknowledging the complaint.
As noted, the law has not yet been implemented, so even if the violation meets the legal definition of a material event, it is unlikely that MeridianLink will be prosecuted. That said, AlphV is likely capitalizing on the industry-wide concern caused by the recent SEC filing decision to appeal chief information security officer of SolarWinds. The SEC accused SolarWinds executives of misleading investors about the company’s cybersecurity practices before a 2020 cyberattack by Russian hackers that went on to infect 18,000 SolarWinds customers with malware.
MeridianLink officials declined a request for an interview or to answer questions asking whether customer data was compromised in a network intrusion or whether a security attack occurred that could be material. Instead, the company issued a statement confirming that officials had identified a “cybersecurity incident” and went on to say:
Upon detection, we immediately act to contain the threat and engage a team of third-party experts to investigate the incident. Based on our investigation to date, we have not identified any evidence of unauthorized access to our production platforms, and the incident has caused minimal business disruption. If we determine that any user’s personal information is involved in this incident, we will provide notifications, as required by law.
Brett Callow, a security analyst with Emsisoft, noted that a ransomware group known as Maze has already warned victims that it “maintains communication with key Security and Financial Regulators and will acknowledge them on all data leaks and breach if the agreement is not reached. .”
“I’m not sure if they’ve actually done it,” Callow told Ars. “Terrorists have also threatened GDPR complaints and, IIRC, one may have actually followed through on that.” He said he was not aware of any party filing a complaint with the SEC. GDPR is short for General Data Protection Regulation, a European Union law giving people broad privacy protections.
AlphV first appeared in November 2021 and is notable for using ransomware, named BlackCat, that was developed in the Rust script. The team targets both Windows and Linux environments.
“As of April 2023, ALPHV has positioned itself as one of the most advanced ransomware groups in the current threat landscape, only falling behind the Lockbit ransomware group in terms of performance,” geopolitical and cybersecurity expert Chris Lucas wrote in May. “Being primarily a Russia-based group, ALPHV is unlikely to target groups based in Russia or within the rest of the Commonwealth of Independent States (CIS) that were part of the former Soviet Union.”
The group is already known for the unusual practice of threatening to launch distributed denial-of-service attacks on previously compromised targets in an attempt to apply additional pressure to pay off.
In business on Thursday, MeridianLink shares fell 0.2 percent, or 4 cents, to $18.51.