When ransomware groups (AlphV) snitch on victims to the SEC

Sicherheit (Pexels, allgemeine Nutzung)[German]New twist in the cat-and-mouse game between ransomware groups and their victims. Some victims try to keep a cyber incident secret. The ransomware group AlphV (also known as BlackCat) has made a new volte face in the field of extortion. As of November 15, 2023, the cybercriminals have filed a complaint against their victim MeridianLink with the U.S. Securities and Exchange Commission (SEC) for failing to report a security incident to the SEC.


A German blog reader brought this to my attention today in a private message on Facebook (thanks for that). The acronym SEC stands for Securities and Exchange Commission. This is the US Securities and Exchange Commission, which is responsible for monitoring securities trading in the United States. Companies must report certain matters to the SEC within a certain period of time.

MeridianLink is a US provider of a lending system and digital credit platform for financial institutions. And this company fell victim to the AlphV ransomware. According to the cybercriminals, they also extracted data in the process. Normally, ransomware gangs try to extort ransom money in order to decrypt encrypted data (not the case here) and prevent the publication of the captured data.

AlphV/BlackCat has compromised MeridianLink

Databreaches.net now reports here on a new move by the AlphV ransomware group. The ransomware gang was able to penetrate MeridianLink's IT systems on Tuesday, November 7, 2023. According to the cyber group, no data was encrypted, but files were extracted. AlphV contacted MeridianLink the following day to extort a ransom.

The AlphV (also know as Blackcat) group told DataBreaches that MeridianLink probably did nothing at first; IT did not apply any security updates when they learned of the incident. It was only when AlphV posted the successful hack on their blog and made it public that the vulnerability through which the attackers were able to penetrate was closed.

DataBreaches was contacted by the cyber group AlphV and was told that someone from MeridianLink had contacted AlphV at some point. However, there had been no interaction between the attackers and the company. The reason given was that the company was "offline". So no ransom was paid.


AlphV reports victims to the SEC

The cybercriminals have now taken the next step and filed a complaint against MeridianLink with the US Securities and Exchange Commission (SEC). Companies must now submit a report on cyber incidents to authorities such as the US Securities and Exchange Commission within 4 days, which has probably not been done. Although the provider advertises trust and security on the MeridianLink website, it has probably kept the cyber attack secret until now.

SEC-Beschwerde gegen MeridianLink
Source: DataBreaches.net

In a copy of the SEC complaint obtained by DataBreaches.net, the cybercriminals write that they wish to bring to the agency's attention an issue regarding MeridianLink's compliance with recently adopted cybersecurity incident disclosure rules. They state that it has come to their attention that MeridianLink failed to file the required disclosure under Item 1.05 of Form 8-K within the prescribed four business days, as required by the new SEC rules, after a significant security breach occurred that compromised customer data and operational information.

DataBreaches.net then asked MeridianLink about this and quickly received an answer. The company wrote that it takes the protection of its customers' and partners' data very seriously. MeridianLink had recently discovered a cybersecurity incident that occurred on November 10, 2023. Following the discovery on the same day, immediate action was taken to contain the threat and a team of external experts was engaged to investigate the incident.

According to previous investigations, there was no evidence of unauthorized access to the production platforms MeridianLink told DataBreaches. And the incident caused only minimal disruption to operations. As the investigation is still ongoing, no further details can be disclosed at this time, says MeridianLink. DataBreaches.net also writes in a postscript that they are not lawyers, but the story with the SEC notification is a bit of a head-scratcher. Because the new rule with a reporting obligation within 4 days is only to apply from December 15, 2023. In any case, this is a new development by the ransomware group – including additional attention.

Addendum: MeridianLink has confirmed the cyber attack, according to this report.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

One Response to When ransomware groups (AlphV) snitch on victims to the SEC

  1. Frankie Marino says:

    lol, no one every said russian cyber criminals were smart.
    i'm awaiting the knock on their doors from the vegas casino owners they hacked earlier this year, it will be interesting to hear stories about it in the future of when they, ALPHV (BlackCat), got 'disappeared' in an Illinois remote cornfield as in casino movie.

Leave a Reply

Your email address will not be published. Required fields are marked *