After infiltrating the IT systems of the American software company Meridianlink, the ransomware group ALPHV has reportedly filed a complaint with the US Securities and Exchange Commission (SEC). The attackers claim, in the complaint published by Bleeping Computer, that the breached company failed to report the breach to the authority within four days of the incident.
The initial cyberattack, according to a report by Databreaches, occurred on November 7. ALPHV, also known as Blackcat, allegedly encrypted data but did not exfiltrate it. However, the group claims to have extracted some information. Meridianlink patched the vulnerability exploited by the ransomware group only after ALPHV added the company to its data leak site.
Alleged lack of ransom payment
Reportedly, the targeted company did not comply with the hackers’ ransom demand, as per Bleeping Computer. ALPHV initially provided Meridianlink with a 24-hour window for payment and threatened to disclose the stolen data.
Due to the absence of payment for several days and apparently no report of the cyberattack to the authorities by Meridianlink, the ransomware group opted to apply additional pressure by filing a complaint with the SEC.
The attackers seemingly filled out a complaint form available online from the US securities authority. ALPHV purportedly published screenshots of the completed form and the SEC’s acknowledgment of receipt on its website, as stated in the Bleeping Computer report.
ALPHV has been previously involved in several prominent cyberattacks, including an attack on the German hotel chain Motel One. The group is also alleged to have provided its malware for attacks on the IT systems of US casino operators MGM Resorts and Caesars Entertainment.
Upcoming mandate for US organizations to report cyberattacks
According to a new regulation, US organizations will soon be obligated to report cyberattacks that have significant impacts, influencing investment decisions, within four business days of detection. However, this regulation is expected to take effect on December 15, 2023.
This mandate evidently poses a new leverage point for cybercriminals to pressure targeted organizations attempting to conceal potential damages.
Meridianlink reportedly claims, as per Bleeping Computer, to have taken immediate containment measures upon discovering the incident. Ongoing investigations are assessing whether consumers’ personal data was affected. There is no evidence yet of unauthorized access to the company’s production systems. Although there was a business disruption, it was reportedly minimal.
READ MORE: Amazon Launches Astro: Transforming Household Robot into Business Security Guard
