ALPHV gang claims it’s the attacker that broke into Prudential Financial, LoanDepot – Source: go.theregister.com

The ALPHV/BlackCat ransomware group is claiming responsibility for attacks on both Prudential Financial and LoanDepot, making a series of follow-on allegations against them.

Both US companies recently confirmed (here and here) cybersecurity incidents via Form 8-K filings with the Securities and Exchange Commission (SEC), but neither document mentioned the involvement of ransomware.

Neither company has had any of their stolen data leaked at this stage, although if negotiations continue to stall as ALPHV says they have (presuming its claims are true), then a data dump may not be too far away.

The advice from both CISA and the FBI is that victims should not pay ransom demands to cybercriminals, and in many cases this is followed.

When ransom demands aren’t paid, however, victims are often “punished” by having their attacks publicized, before continued non-compliance with the criminals’ demands leads to data disclosure. That’s the double extortion model.

ALPHV has now made a number of inflammatory allegations against both victims, which of course should be taken with a substantial grain of salt given that they are indeed criminals.

In the case of Prudential Financial, the gang has alleged that the company fibbed in its regulatory filing, which claimed the attackers broke in on February 4 and systems were contained a day later.

“The claims… are categorically false. We continue to have uninterrupted access to their network and are actively exfiltrating information,” ALPHV alleged on its site. “This can be verified as we sent the CEO, CIO, and legal person an email today showing evidence of this [as of] Feb 15.”

The gang said it is currently looking for customers who may wish to buy the stolen data, but will consider releasing it for free. This follows Prudential’s claim that it had seen no evidence of customer or client data being stolen. It made no such exclusions for other data types.

If the allegations are true, the company could face a backlash from the SEC and investors. However, it’s worth remembering that ALPHV made a name for itself towards the back end of last year for weaponizing regulators against ransomware victims. 

For example, in a novel November 2023 case, ALPHV filed an SEC complaint against fintech firm MeridianLink for failing to notify the regulator of a material breach. It was seen as a new way for cybercriminals to hasten the ransom payment negotiations beyond the traditional methods.

So, until we hear Prudential’s side it’s worth exercising some extreme caution before we buy into these claims.

As regards LoanDepot, the company confirmed a breach in early January with the SEC but didn’t confirm ransomware’s involvement.

If ALPHV was indeed responsible for the attack here, the group has allowed negotiations to carry on for a month and a half. Many groups lose patience much sooner.

According to the criminals, LoanDepot’s negotiators deployed stalling tactics presumably to delay the release of stolen data. An initial ransom payment of $6 million was proposed, but it wanted extra time to secure a bigger sum, at least that’s ALPHV’s claim. After that, the company stopped replying, apparently.

The Register contacted both Prudential Financial and LoanDepot for comment but neither immediately responded.

Evasive ALPHV

The ALPHV ransomware group continues to frustrate US authorities by terrorizing major organizations under its watch after surviving a takedown attempt in December.

It’s not often a cybercrime operation can withstand and overcome attempts to shutter it after international law enforcement sets out to dismantle its infrastructure, but that’s what happened in December when ALPHV wrestled the feds for control of its site over the space of a few days.

It seems the BlackCat does indeed have nine lives, as they say.

When the FBI’s initial seizure splash page appeared on the outfit’s dark web site, followed by press releases lauding the takedown and release of a decryptor, infosec watchers believed one of the world’s most notorious ransomware gangs had fallen like so many before it.

Fast-forward two months and it’s like nothing happened. The group’s website is back up and running and affiliates continue to claim major attacks on Western organizations.

• Feds post $15 million bounty for info on ALPHV/Blackcat ransomware crew
• ALPHV blackmails Canadian pipeline after ‘stealing 190GB of vital info’
• New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies
• Thieves steal 35.5M customers’ data from Vans sneakers maker

Most recently, it allegedly broke into Canada’s Trans-Northern Pipelines – an attack on a critical infrastructure organization that naturally brings back memories of DarkSide’s Colonial Pipeline incident.

It may also not be a coincidence, given that ALPHV is linked to BlackMatter, which itself was linked to DarkSide.

Towards the end of last week, the US announced that it would offer a maximum total reward of $15 million for information leading to the identification or location of ALPHV leadership members and/or their arrest. ®