A Ransomware Gang Wanted Its Victim to Pay Up. So It Went to the SEC.



The hackers didn’t wait for new rules, which would require companies to disclose major cybersecurity incidents, to go into effect.

The call is coming from inside the hack. A ransomware gang claimed this past week that it broke into the systems of the fintech platform MeridianLink. The breach has been reported to regulators.

The company didn’t report it, as new rules will require them to do. The hackers did.

New Securities and Exchange Commission rules, which go into effect next month, require that hacked companies disclose materially important cybersecurity incidents to investors within four days of discovering them.

The hackers, called both AlphV and Black Cat, didn’t wait for the rules to take effect to use the threat of disclosure to pressure the company to meet its ransom demands.

MeridianLink acknowledged the hack after AlphV disclosed it. The company said that the incident caused minimal business interruption and that, if it determines that any consumer personal information was involved, it will provide notifications as required by law. MeridianLink said it had hired a third party to investigate the incident.

“MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago," AlphV wrote in a statement published online. “We have therefore reported this non-compliance by MeridianLink."

In recent years ransomware groups have been known to send messages to customers, investors and even employees’ family members to ratchet up the pressure to pay, said John Bennett, the global head of government affairs at the risk advisory firm Kroll.

“This is just a new way of applying pressure to companies to get them to comply," he said of the group’s SEC complaint.

While security experts said AlphV’s report to the SEC was something of a publicity stunt, it also shows the new risks companies face based on how they handle hacks and ransomware attacks.

“Now the bad guys are recognizing that the U.S. regulatory landscape is becoming acutely more dangerous for companies," said Tim Howard, U.S. head of data security at Freshfields and former head of the cybercrime unit at the Manhattan U.S. attorney’s office.

Along with the new disclosure rules, the SEC last year announced that it was nearly doubling the size of its unit responsible for crypto cases and cybercrime. The agency recently charged SolarWinds and its chief information security officer with fraud, alleging that the software company overstated its cybersecurity capabilities before it announced it was a victim of a major hack in 2020.

SolarWinds has said that the SEC’s complaint is fundamentally flawed and that it plans to fight the charges.

AlphV claimed credit earlier this year for a high-profile hack at MGM Resorts International, which said that it would take a $100 million hit to its earnings after the company’s casino operations were crippled following the company’s refusal to pay the ransom.

Robert McMillan contributed to this article.

Write to Ben Foldy at

Catch all the Elections News, Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.


Switch to the Mint app for fast and personalized news - Get App