BlackCat ransomware group this week filed a U.S. Securities and Exchange Commission complaint.
It’s certainly a unique way to increase the trouble generated by one of its attacks. The complaint charges one of its alleged victims with not complying with the SEC’s four-day disclosure rule.
MeridianLink, a financial services tech provider that said it acted immediately to contain the threat and begin their investigation. The hackers claimed the attack took place on Nov. 7, and MeridianLink representatives never followed up with any response to their ransom demands. The source indicated that no unauthorized access or interruption to its business has happened.
The story shows screenshots of the SEC filings by the hackers, including confirmation of their submittal. Whether an actual breach had happened depends on resolving the different stories from the ransomware group and MeridianLink security managers. And even if the breach had happened, it’s not likely that MeridianLink was required to disclose it, since the rule for quick disclosure doesn’t go into effect until next month anyway.
Moreover, it would appear that ALPHV has also published the contact details of Meridian’s CISO, CEO, wife of the CEO, and son of the CEO as part of this campaign. That is pretty despicable, as even though stakeholders have a right to know about a breach, it shouldn’t necessarily come at the cost of being doxxed.
This latest ransomware maneuver is just another example of the escalation of extortion methods, known as multipoint attacks. ALPHV/BlackCat is one of the most prolific multipoint groups.