Yesterday, on November 15^th, the ALPHV/BlackCat ransomware organization had pulled a new trick setting a new threat and a novel standard in ransomware extortion techniques. According to DataBreaches.net, MeridianLink, a publicly traded company that provides digital solutions for financial organizations banks, mortgage lenders, etc. was breached on November 7^th. On November 15^th ALPHV listed MeridianLink on their leaks site, setting a 24-hour ultimatum to pay the ransom. Shortly after that the threat actor filed a U.S. Securities and Exchange Commission (SEC) complaint against the victim for not complying with the breach disclosure requirements.

ALPHV had claimed that MeridianLink did not respond to the call to negotiate and therefore acted to apply additional pressure to convince it to comply. The 24-hour ultimatum is also on the shorter end of what we’ve previously seen in attacks @CIPTEAM responded to on behalf of our clients.

MeridianLink confirmed the fact of the cyberattack but claims it was not negligent in its reporting duties as the relevant SEC regulations are not yet in power, set to take effect on December 15.

Ransomware groups routinely employ the threat of regulatory action against the victims, as an extortion leverage, but this seems to be the first time there is evidence of threat-actors actually reporting the breach and alleged incompliance themselves.

This is yet another proof that ransomware doesn’t have plans to fade away and new extortion tactics are to be expected. Organization are breached on an hourly basis; it is imperative that if bad comes to worse you are prepared with an up-to-date Cyber Crisis Management Plan (CCMP) and stay on top of the situation in a timely manner to prevent the incident escalating into a full-blown crisis.