In a mildly comedic response, a ransomware gang decided to file an official SEC complaint when a victim ignored their ransom demand.

 

The AlphV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) against MeridianLink, a software company, for not disclosing a cyberattack within a supposed four-day deadline. The ransomware gang had threatened to leak stolen data unless a ransom was paid within 24 hours. MeridianLink, a publicly traded company providing digital solutions for financial organizations, allegedly suffered a breach on November 7th. The gang claims that rather than encrypting files, they had copied/removed them, and MeridianLink was aware of the attack on the same day.

Due to MeridianLink’s lack of response to ransom demands, the ransomware gang filed an official complaint with the SEC, stating that the incident had a material impact on customer data and operational information. However, the gang misunderstood the SEC’s cybersecurity disclosure rules, which are not set to take effect until December 15, 2023, and there is no four-day deadline yet in place.

MeridianLink responded by saying it acted immediately to contain the threat, engaged third-party experts for investigation, and found no evidence of unauthorized access to production platforms. The company is still assessing if any consumer personal information has been compromised. This incident is notable as it may be the first publicly confirmed case of a ransomware gang contacting regulators over a victim’s failure to disclose a cyberattack.