Denied Ransom, Frustrated Hackers Report Victim to Police for Failure to Report Data Breach

A ransomware operation that failed to extort money from the victim took a turn for the worse when the attackers decided to report the company to the Securities and Exchange Commission (SEC).

Ransomware operators consistently find novel ways to pressure or humiliate their victims, especially when negotiations fail. This event, however, may well be a first on the ransomware scene.

The BlackCat ransomware operation, also known as AlphV, allegedly breached MeridianLink earlier this month to steal internal data, including customer information.

When negotiations failed between the attackers and the victim, BlackCat decided to report the company to the Securities and Exchange Commission for failing to acknowledge that they got breached.

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules,” the attackers wrote in the SEC complaint, according to screenshots shared by Databreaches.net. “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the SEC rules.”

Databreaches got in touch with the hacker crew and learned that the attackers didn’t encrypt the company’s systems, but did exfiltrate internal data.

“Someone from MeridianLink had reached out to AlphV at some point, but there has been no interaction between the attackers and the firm,” Databreaches reports.

MeridianLink, which sells a software platform and serves banks, credit unions and other financial institutions, admits to getting breached, but says there is “no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”

However, it doesn’t say whether customer data was affected in any way.

“We have no further details to offer currently, as our investigation is ongoing,” it added in a statement offered following media inquiries.

The SEC’s new rules involving data breaches, adopted this summer, require publicly listed companies to report to the commission within four business days after the company determines it has experienced a material cyber-incident. However, the directive is only set to take effect next month, Dec. 15.