National mortgage lender loanDepot is declining to comment on ransomware group ALPHV/Blackcat’s claims that the group was behind a cyberattack that the lender has acknowledged exposed the personal information of 16.6 million people to an “unauthorized third party.”
In disclosing the cyberattack on Jan. 8, loanDepot declined to provide more specific information on exactly when the security breach occurred or whether the company had received a ransom demand.
But on Friday, Feb. 16, ALPHV/Blackcat claimed responsibility for cyber attacks on loanDepot and Prudential Financial, complaining on a dark Web site that neither company has complied with its demands.
TAKE THE FEBRUARY INMAN INTEL INDEX SURVEY NOW
According to The Register, an online news service for information technology professionals, the ransomware group claimed negotiators for loanDepot initially proposed paying $6 million to release the company’s data, an offer that the group later concluded was a stalling tactic.
“They [loanDepot] offered $6 million for the data and decryptor, but they said they could get a significant increase if we waited over the weekend — a tactic used by negotiators,” ALPHV/Blackcat reportedly posted on its dark Web page, according to another IT news site, RedPacket Security. “After the weekend was over, they disappeared.”
A spokesperson for loanDepot declined to comment on the group’s claims, but said in an email to Inman, “We’re 100 percent back up and operational, and have been for weeks.”
On Monday, Jan. 22, loanDepot posted on a cyber incident update page that it was still working on restoring its loan origination and loan servicing systems. The loanDepot spokesperson said the company’s systems were fully restored later that week.
The company had previously said that its loan servicing portal, which homeowners use to make their monthly mortgage payments, was back online “with some limits to functionality” on Jan. 18, and fully operational the following day.
The MyloanDepot customer portal for online loan applications and status tracking, mellohome’s website (which connects pre-approved homebuyers with partner real estate agents) and loanDepot’s HELOC customer portal were reported as back online Jan. 18.
Fidelity National Financial and First American Financial, which are the nation’s two largest title insurers, shut down their systems after similar security breaches in November and December. Mortgage servicing giant Mr. Cooper notified nearly 15 million past and current customers in December that their personal information may have been compromised in an October data breach.
According to the FBI, ALPHV/Blackcat and its affiliates have compromised over 1,000 businesses and government entities and received nearly $300 million in ransom payments.
The FBI has developed a decryption tool that it’s offering to victims to help restore their systems, saving dozens of victims from ransom demands totaling approximately $99 million,” the State Department said last week in announcing up to $15 million in rewards aimed at stopping the group.
The State Department is offering up to $10 million in rewards for information leading to the identification or location of anyone who holds a key leadership position in the ALPHV/Blackcat group, and up to $5 million for information leading to the arrest or conviction of anyone participating in a ransomware attack using the ALPHV/Blackcat variant.
The ALPHV/Blackcat group uses a “ransomware-as-a-service model” in which developers create ransomware and affiliates identify and attack “high-value victim institutions,” the Department of Justice said in a Dec. 19 news release.
“Blackcat actors have compromised computer networks in the United States and worldwide,” the Justice Department said. ” The disruptions caused by the ransomware variant have affected U.S. critical infrastructure — including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities — as well as other corporations, government entities, and schools.”
The Justice Department announced Tuesday that it had disrupted the operations of another ransomware group, LockBit, working with international law enforcement partners to seize public-facing websites and servers allegedly used by the group to extort victims. Two Russian nationals were indicted and charged with attacks against multiple U.S. and international victims.
The FBI and the U.K. National Crime Agency’s (NCA) Cyber Division have developed decryption capabilities to restore systems attacked by the LockBit ransomware variant, and victims are encouraged to contact the FBI to determine whether their systems can be restored.
Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.