Cybercriminal group Alphv said it reported a victim of one of its ransomware attacks to the Securities and Exchange Commission for supposedly violating the regulator's new rule mandating publicly traded companies report substantial cybersecurity incidents.
The company, financial software firm MeridianLink, confirmed it suffered an attack but had not yet determined the extent of personal information compromised.
"MeridianLink recently identified a cybersecurity incident," a spokeswoman for the company said Friday. "Safeguarding our customers' and partners' information is something we take seriously. Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident."
The spokeswoman added that the company had identified "no evidence of unauthorized access to our production platforms" and that the incident caused minimal business interruption.
"If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law," the spokeswoman said. "We have no further details to offer currently, as our investigation is ongoing."
MeridianLink counts many credit unions and some community banks as customers. The company reported $288 million in revenue last year.
MeridianLink did not have to report the incident in an 8-K filing, as Alphv claimed, because the
The SEC's rule gives publicly traded companies four days to report a security incident from the time that the company determines it to be "material." Alphv said it compromised MeridianLink on Nov. 7. Alphv
The SEC did not immediately respond to a request for comment. Other reports indicated the commission was not commenting on the matter.
Ongoing disruptions and a reported ransom payment highlight the complexity of cybercrime networks and the pitfalls of paying ransoms.
The "misuse" of the SEC's form for flagging unreported data breaches was entirely foreseeable, according to Ilia Kolochenko, CEO of Switzerland-based cybersecurity company ImmuniWeb, and is a strategy that Alphv and similar groups use to put additional pressure on publicly traded companies.
"Ransomware actors will likely start filing complaints with other U.S. and EU regulatory agencies when the victims fail to disclose a breach within the timeframe provided by law," Kolochenko said.
The episode also highlights the need for the SEC to carefully scrutinize reports of noncompliance because exaggerated and false claims are likely to pile up, Kolochenko said.
Hackers continuously refine and adapt their strategies, and reporting a supposed violation of the SEC's four-day rule is just a new weapon in cybercriminals' toolbox, according to Darren Williams, CEO of cybersecurity firm BlackFog.
"We will surely see an increase in hackers leveraging this as an extortion tactic to humiliate their victims and guarantee payment is made," Williams said. "The added levels of embarrassment from hackers exposing organizations' failure to follow regulations and remain transparent with their customers and partners, should give them all the more reason to avoid delayed reporting and hopefully eliminate this new extortion tactic."
This new tactic is among the many that ransomware groups are using in lieu of an original concept of ransomware — that cybercriminals could disrupt their victims' operations by encrypting their systems. While many groups including Alphv still encrypt some victims' systems, doing so can increase the chances of detection.
The stunt by Alphv, which deploys BlackCat ransomware on victims, is the latest to draw attention to the criminal organization. Earlier this year, the group made headlines after attacks on
Alphv deploys ransomware written in Rust, which is considered a more secure programming language,
