Ransomware gang BlackCat has filed a complaint with the US financial regulator the Securities and Exchange Commission (SEC) against one of its own victims for failing to report a breach. The move appears to be a ploy to make the company involved, MeridianLink, comply with a ransom demand.
According to the filing, MeridianLink – which supplies digital lending solutions to banks, credit unions and other financial institutions – failed to act in line with US law by notifying the regulator that the group had hacked it earlier this month.
Also known as ALPHV, BlackCat has been one of the most active ransomware gangs in 2023, and previous alleged victims include Reddit, watchmaker Seiko and the Ecuadorian Army. This appears to be the first time it has complained about a victim’s misconduct to regulators.
BlackCat goes to the SEC
In a statement to DataBreaches, BlackCat explained that they had exfiltrated files from MeridianLink on 7 November. The breach seems to have passed unnoticed by the firm’s security staff until the gang posted the company to its victim blog, at which point “they… patched the way used to get in” to the firm’s systems.
BlackCat then reported its own attack to the SEC. The gang complained to the regulator that MeridianLink had “failed to file the requisite disclosure under Item 1.05 of Form 8-K with[in] the stipulated four business days, as mandated by the new SEC rules”.
The regulations cited by BlackCat were announced by the SEC last month and require companies operating in the US to disclose data breaches and other material cybersecurity incidents within four business days. While the ransomware gang did comply with the spirit of the new rules by letting this grace period expire before it reported MeridianLink, it seems to have overlooked that the legislation does not officially come into force until 15 December.
MeridianLink confirms cyberattack
MeridianLink has confirmed a “cybersecurity incident” took place on 10 November, three days after BlackCat claimed to have breached its systems. It did not say whether a ransom demand had been issued or paid.
A company spokesperson said it “acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident”.
The spokesperson added: “Based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption. We have no further details to offer currently, as our investigation is ongoing.”
It was inevitable that cybercriminal groups would begin to use data breach notification requirements to exert added pressure on their victims to pay ransoms more promptly, explains Dr Ilia Kolochenko, the CEO of cybersecurity firm ImmuniWeb. “Having said that, not all security incidents are data breaches, and not all data breaches are reportable data breaches,” Kolochenko told Tech Monitor. “Therefore, regulatory agencies and authorities should carefully scrutinize such reports and probably even establish a new rule to ignore reports uncorroborated with trustworthy evidence. Otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyze their work.”
This is not the first time that a cybercrime gang has claimed to report its victims to regulators for failing to disclose breaches in good time. RansomedVC recently said that it threatened companies who failed to pay ransoms for stolen data with GDPR complaints (data breaches under the EU regulation can lead to fines of €20m or 4% of a firm’s annual global turnover.) However, this strategy has since been discontinued with the gang’s voluntary liquidation as of 30 October. According to a statement made by RansomedVC’s alleged admin, “I do not want to continue being monitored by federal agencies and I would wish to sell the project to someone who will want to continue it.”