In what could be called the ultimate hubris, the ALPHV/BlackCat ransomware group this week filed a U.S. Securities and Exchange Commission complaint.

It’s certainly a unique way to increase the trouble generated by one of its attacks. The complaint, which is described in detail in yesterday’s post on Bleeping Computer by Ionut Ilascu, charges one of its alleged victims with not complying with the SEC’s four-day disclosure rule.

Ilascu cites confirmation of the breach by MeridianLink, a financial services tech provider that said it acted immediately to contain the threat and begin their investigation. The hackers claimed the attack took place on Nov. 7, and MeridianLink representatives never followed up with any response to their ransom demands. The source indicated to Ilascu that no unauthorized access or interruption to its business have happened.

Dr. Ilia Kolochenko, chief architect at application security firm ImmuniWeb, told SiliconANGLE that he wasn’t surprised. “Ransomware actors will likely start filing complaints with other U.S. and EU regulatory agencies when the victims fail to timely disclose their breaches,” he said. He predicts that the regulators will have to vet these complaints to ensure they represent a reportable event, “otherwise, exaggerated or even completely false complaints will flood their systems with noise and paralyze their work.”

The story shows screenshots of the SEC filings by the hackers, including confirmation of their submittal. Whether an actual breach had happened depends on resolving the different stories from the ransomware group and MeridianLink security managers. And even if the breach had happened, it’s not likely that MeridianLink was required to disclose it, since the rule for quick disclosure doesn’t go into effect until next month anyway.

This latest ransomware maneuver is just another example of the escalation of extortion methods, known as multipoint attacks. ALPHV/BlackCat is one of the most prolific multipoint groups.

Image:  Ideogram