Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
BlackCat Extortion Technique: Public Access to Breached Data
BlackCat User Publishes Downloadable Stolen Data on Typosquatted WebsiteOperators of the BlackCat ransomware as a service appear to be using a new extortion technique: creating a dedicated website on the public internet revealing personal data stolen from victims.
See Also: Gartner Guide for Digital Forensics and Incident Response
On Tuesday, the BlackCat "name and shame" website published a link to an open website resolving to a typosquatted domain containing the personally identifiable information of thousands of individuals. The data appears to belong to employees of The Allison Inn & Spa, an Oregon wine country luxury spa and resort. As of late afternoon today, the typosquatted site appears to be offline.
The luxury resort did not respond to Information Security Media Group's reuest for information. In a later statement to local news outlet The Oregonian, resort Director of Finance Lonny Watne acknowledged the attack and said the company had begun to notify affected individuals. They include guests, whose names, check-in dates and spending totals were also posted on the internet by hackers.
"We conducted a full investigation with the help of outside cybersecurity experts, and that investigation determined that some personal information was subject to unauthorized access," Watne tells the newspaper.
Posting online personal data stolen from a victim marks an escalation in criminal ransomware technique. Rather than slowly releasing stolen data on hidden websites to ramp up the pressure on victims to pay, this threat actor may be counting on a "shock and awe" approach. In a warning posted online, it forewarned that, without a forthcoming payment, it will release the resort’s "entire accounting" onto the public internet.
"We are not going to stop, our leak distribution department will do their best to bury your business," the operators said on the now dormant typosquatted website.
Threat actors invent new strategies all the time, says Brett Callow, a threat analyst at security firm Emsisoft.
"We've seen them transition from encryption-only attacks to encryption plus exfiltration, and now we're seeing them look for new ways to leverage the exfiltrated data," Callow says.
As is the usual procedure for victims of BlackCat ransomware, the victim reportedly must establish contact with its hackers via Tor, shows a tweet from self-described "greying beard" cybersecurity professional Nicholas Carroll.
The Typosquatted Website
The typosquatted site showed a note threatening reputational damage if the victim company does not initiate negotiations. The website did not specify the ransom amount demanded or show the ransom note.
The attacker said the victim does not "have much time" to initiate negotiations, without specifying the deadline.
The typosquatted domain resolved to a [.]xyz
top-level domain, instead of The Allison's correct [.]com
domain. The typosquatted website contained the personal data of 1,534 employees and spending totals of 2,789 named guests.
The site's WHOIS entry shows a private individual supposedly with a Hong Kong mailing address registered the domain on May 31.
A representative of .xyz top-level domain registry told The Oregonian the typosquatted site violated its anti-abuse policy. "We have suspended the domain to prevent further harm," says Jocelyn Hanc, operations vice president for XYZ.
Leaked employee data includes first and last names, dates of birth, phone numbers, email IDs and Social Security numbers. There's also an option to download the "full data" of any individual on the list in a [.]zip format.
The zip files contain sensitive data, including employee background checks, direct deposit agreements, medical information, emergency contact information, employment eligibility Form I-9 and employee withholding Form W-4, drug screening reports, offer letters and identity card data.
Other Victims
BlackCat, also known as ALPHV, has quickly gained prominence as a provider of ransomware malware to an extended group of affiliates since first being spotted in the wild late last year. Analysis by cybersecurity firm Varonis shows the group actively recruiting operators with promises that affiliates can keep 90% of victims' payouts. Recent victims of BlackCat ransomware include several educational institutes, such as the University of Pisa, French educational institute Ecole des Ingénieurs de la Ville de Paris, the Florida International University, the North Carolina Agricultural and Technical State University. Also in the list is a Canadian public school district in Saskatchewan (see: BlackCat Attacks University of Pisa, Demands $4.5M Ransom).
(Note: The story was updated on June 16 to include the name of the victim organization, its reported acknowledgement of the attack, the status of the original and typosquatted websites, and reported comments from a representative of the XYZ domain registry.)