Ransomware Gang ALPHV/BlackCat More Creative Than Their Competition.
Different countries have different rules for how fast a business that suffered a data breach must report it to the authorities and in this case, the threat actor mostly known as ALPHV/BlackCat has taken their extortion technique to a new level, by filing a U.S. Securities and Exchange Commission complaint against one of their victims for not complying with the four-day rule to disclose a cyberattack.
The attack was last Tuesday, November 7. According to AlphV, they did not encrypt any files, but did exfiltrate files. MeridianLink was aware of it the day it happened. According to AlphV, no security upgrades were made following the discovery, but “once we added them to the blog, they have patched the way used to get in,” according to DataBreaches.
Although while checking out their leak site, I could not find MeridianLink or MLNK on their list of victims.
Regarding the new four-day rule: It will not take affect until December 18th, 2023. It is also not four days from when the breach occured, but four days to disclose from the point the company determines they need to disclose it. Although a business aren't allowed to "unreasonably delay" the determination of if they need to disclose it or not.
If more ransomware threat actors follow this gangs lead, more businesses trying to hide the fact that they were hacked, might end up paying even higher fines, than they would if they went on record, assuming responsibility for their bad OPSEC or lack of it.