{ "id": "7ce474b0-f21c-4979-88b2-0ec6b1008da5", "created_at": "2026-04-06T00:14:58.151669Z", "updated_at": "2026-04-10T13:12:07.031897Z", "deleted_at": null, "sha1_hash": "ddf3a151a271128192d160c6379016788ff6f37b", "title": "Notorious ransomware gang takes credit for cyberattack on Fidelity National Financial", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75230, "plain_text": "Notorious ransomware gang takes credit for cyberattack on\r\nFidelity National Financial\r\nBy Jonathan Greig\r\nPublished: 2023-11-27 · Archived: 2026-04-05 17:24:36 UTC\r\nA ransomware group behind some of the biggest cyberattacks in 2023 has taken credit for an incident involving a\r\nmultibillion-dollar player in the real estate industry.\r\nFidelity National Financial — a Fortune 500 provider of title insurance for property sales — acknowledged an\r\nattack in regulatory documents submitted November 21 to the U.S. Securities and Exchange Commission.\r\nOn November 22, the AlphV/Black Cat ransomware gang took credit for the intrusion, publishing a lengthy screed\r\nagainst the company for hiring incident responders. The group claimed the response team was from Google’s\r\nMandiant unit.\r\nIn 8-K filings first reported by TechCrunch, Fidelity National Financial did not provide specifics about its\r\nresponse.\r\n“Fidelity National Financial recently became aware of a cybersecurity incident that impacted certain FNF\r\nsystems,” the company said. “FNF promptly commenced an investigation, retained leading experts to assist the\r\nCompany, notified law enforcement authorities, and implemented certain measures to assess and contain the\r\nincident.”\r\nFidelity National Financial said that so far, the investigation has revealed the hackers accessed certain company\r\nsystems and “acquired certain credentials.” The company did not respond to requests for comment about what that\r\nmeans.\r\nIn the filing, company officials said they were still trying to understand whether the incident would have a\r\nmaterial impact on operations, but there were indeed issues during the initial response.\r\n“Among other containment measures, we blocked access to certain of our systems, which resulted in disruptions\r\nto our business. For example, the services we provide related to title insurance, escrow and other title-related\r\nservices, mortgage transaction services, and technology to the real estate and mortgage industries, have been\r\naffected by these measures,” the company said.\r\nSeveral real estate-focused news outlets said the attack has had significant downstream effects on the industry.\r\nReal Estate News called Fidelity National Financial the “nation's largest title insurance company” and said it has\r\nstopped many scheduled home-sale closings as a result of the attack.\r\nReal estate agents, homebuyers and more have been left in the lurch, trying to find ways to finish sales. But the\r\nsystem outages mean many transactions will not be completed until this week. TechCrunch spoke to several\r\nrealtors on Monday who were exasperated by the outages, which are causing delays in closings.\r\nhttps://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat\r\nPage 1 of 3\n\nFidelity National Financial owns dozens of regional title companies like National Title of New York, Chicago\r\nTitle, Alamo Title and Commonwealth Land Title. TechCrunch\r\nCybersecurity expert Kevin Beaumont noted that like multiple major companies that have suffered hacks in recent\r\nweeks, Fidelity National Financial had tools exposed to the internet that were vulnerable to a bug known as\r\nCitrixBleed.\r\nThe top cybersecurity agencies in the U.S. released an urgent warning about the issue on November 21, warning\r\nthat both nation-state hackers and cybercriminals were exploring ways to exploit the vulnerability.\r\nJust three weeks ago, hackers targeted Texas-based mortgage giant Mr. Cooper, the largest non-bank mortgage\r\nservicer in the U.S. The attack prompted the company to lock down its systems, forcing people to pay off their\r\nloans by phone, mail service or Western Union.\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nhttps://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat\r\nPage 2 of 3\n\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat\r\nhttps://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat" ], "report_names": [ "fidelity-national-financial-ransomware-alphv-black-cat" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddf3a151a271128192d160c6379016788ff6f37b.pdf", "text": "https://archive.orkl.eu/ddf3a151a271128192d160c6379016788ff6f37b.txt", "img": "https://archive.orkl.eu/ddf3a151a271128192d160c6379016788ff6f37b.jpg" } }