BlackCat/APLHV ransomware gang files SEC complaint over victim’s “undisclosed” data breach

Unprecedented move takes the threat group’s extortion efforts to a new level

Add bookmark

Michael Hill
11/16/2023

Notorious ransomware group BlackCat/APLHV has filed a US Securities and Exchange Commission (SEC) complaint against one of its alleged victims for failing to comply with a four-day cyber attack disclosure rule. The unprecedented move takes the threat group’s extortion efforts to a new level after it claimed to have recently breached and stolen data from software company MeridianLink.

The ransomware gang said it breached MeridianLink’s network on November 7 and stole company data without encrypting systems, according to DataBreaches.net. It gave the victim a 24-hour deadline to pay a ransom before it would publish the information. Whilst MeridianLink reportedly reached out to BlackCat/APLHV initially, the group said it has not received communications to begin negotiations about payment in exchange for not leaking the supposedly stolen data.

Victim’s lack of response likely prompted SEC complaint

This alleged lack of response appears to have prompted the hackers to exert more pressure by sending the complaint to the SEC about the incident that impacted “customer data and operational information.” BlackCat/APLHV published a screenshot of the form they filled out on SEC’s Tips, Complaints, and Referrals page.

However, the boldness of BlackCat/APLHV may be misjudged, as the newly-formed cyber attack notification rule (Form 8-K, under Item 1.05) that it accuses MeridianLink of breaking does not actually come into force until next month (December 15). The SEC recently announced it would be adopting new rules that require publicly traded companies to report cyber attacks that have a material impact within four business days.

MeridianLink confirmed cyber security incident

MeridianLink confirmed that it had suffered a cyber security incident and acted immediately to contain the threat, engaging a team of third-party experts to investigate. In a statement, it told DataBreaches.net:

“Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cyber security incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”

BlackCat/APLHV SEC complaint reflects increasing “maturity level” of ransomware groups

The BlackCat/APLHV SEC complaint shows that ransomware operations are beginning to reach a maturity level where the responsible threat actors are fully aware of regulations affecting their target sector and are able to use regulatory bodies to enhance the threat of extortion, said Thomas Barton, senior IR analyst at Integrity360. “This highlights the importance of engaging experienced legal and cybersecurity professionals before, during and after an incident who can assist in navigating the complex challenges that such an attack can present.”

Earlier this week, Cyber Security Hub revealed that an affiliate of the BlackCat/APLHV group has been attacking corporations and public entities in a malvertising campaign that uses Google Ads to spread Nitrogen malware.