The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack [bleepingcomputer.com]:
Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.
MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.
According to DataBreaches.net [databreaches.net], the ALPHV ransomware gang said they breached MeridianLink’s network on November 7 and stole company data without encrypting systems.
The ransomware actor said that “it appears MeridianLink reached out, but we are yet to receive a message on their end” to negotiate a payment in exchange for not leaking the supposedly stolen data.
The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted “customer data and operational information.”
[...] In their own words, the attacker told the SEC that MeridianLink suffered a “significant breach” and did not disclose it as required in Form 8-K, under Item 1.05.
The SEC’s new cybersecurity rules [bleepingcomputer.com] are set to take effect on December 15, 2023.
Originally spotted on Schneier on Security [schneier.com].
Related: Teens With “Digital Bazookas” Are Winning the Ransomware War, Researcher Laments [soylentnews.org]