Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

BlackCat Extortion Technique: Public Access to Breached Data

BlackCat User Publishes Downloadable Stolen Data on Typosquatted Website
BlackCat Extortion Technique: Public Access to Breached Data
Screenshot of the typosquatted website's home page (Source: ISMG)

Operators of the BlackCat ransomware as a service appear to be using a new extortion technique: creating a dedicated website on the public internet revealing personal data stolen from victims.

See Also: Gartner Guide for Digital Forensics and Incident Response

On Tuesday, the BlackCat "name and shame" website published a link to an open website resolving to a typosquatted domain containing the personally identifiable information of thousands of individuals. The data appears to belong to employees of The Allison Inn & Spa, an Oregon wine country luxury spa and resort. As of late afternoon today, the typosquatted site appears to be offline.

The luxury resort did not respond to Information Security Media Group's reuest for information. In a later statement to local news outlet The Oregonian, resort Director of Finance Lonny Watne acknowledged the attack and said the company had begun to notify affected individuals. They include guests, whose names, check-in dates and spending totals were also posted on the internet by hackers.

"We conducted a full investigation with the help of outside cybersecurity experts, and that investigation determined that some personal information was subject to unauthorized access," Watne tells the newspaper.

Screenshot of a redacted post on BlackCat ransomware group's "name and shame" site (Source: Nicholas Carroll)

Posting online personal data stolen from a victim marks an escalation in criminal ransomware technique. Rather than slowly releasing stolen data on hidden websites to ramp up the pressure on victims to pay, this threat actor may be counting on a "shock and awe" approach. In a warning posted online, it forewarned that, without a forthcoming payment, it will release the resort’s "entire accounting" onto the public internet.

"We are not going to stop, our leak distribution department will do their best to bury your business," the operators said on the now dormant typosquatted website.

Threat actors invent new strategies all the time, says Brett Callow, a threat analyst at security firm Emsisoft.

"We've seen them transition from encryption-only attacks to encryption plus exfiltration, and now we're seeing them look for new ways to leverage the exfiltrated data," Callow says.

As is the usual procedure for victims of BlackCat ransomware, the victim reportedly must establish contact with its hackers via Tor, shows a tweet from self-described "greying beard" cybersecurity professional Nicholas Carroll.

The Typosquatted Website

The typosquatted site showed a note threatening reputational damage if the victim company does not initiate negotiations. The website did not specify the ransom amount demanded or show the ransom note.

The attacker said the victim does not "have much time" to initiate negotiations, without specifying the deadline.

The typosquatted domain resolved to a [.]xyz top-level domain, instead of The Allison's correct [.]com domain. The typosquatted website contained the personal data of 1,534 employees and spending totals of 2,789 named guests.

The site's WHOIS entry shows a private individual supposedly with a Hong Kong mailing address registered the domain on May 31.

A representative of .xyz top-level domain registry told The Oregonian the typosquatted site violated its anti-abuse policy. "We have suspended the domain to prevent further harm," says Jocelyn Hanc, operations vice president for XYZ.

A screenshot showing redacted PIIs on the typosquatted search site (Source: ISMG)

Leaked employee data includes first and last names, dates of birth, phone numbers, email IDs and Social Security numbers. There's also an option to download the "full data" of any individual on the list in a [.]zip format.

The zip files contain sensitive data, including employee background checks, direct deposit agreements, medical information, emergency contact information, employment eligibility Form I-9 and employee withholding Form W-4, drug screening reports, offer letters and identity card data.

A redacted screenshot of what appear to be W-4 and I-9 forms of employees, published on the typosquatted site (Source: ISMG)

Other Victims

BlackCat, also known as ALPHV, has quickly gained prominence as a provider of ransomware malware to an extended group of affiliates since first being spotted in the wild late last year. Analysis by cybersecurity firm Varonis shows the group actively recruiting operators with promises that affiliates can keep 90% of victims' payouts. Recent victims of BlackCat ransomware include several educational institutes, such as the University of Pisa, French educational institute Ecole des Ingénieurs de la Ville de Paris, the Florida International University, the North Carolina Agricultural and Technical State University. Also in the list is a Canadian public school district in Saskatchewan (see: BlackCat Attacks University of Pisa, Demands $4.5M Ransom).

(Note: The story was updated on June 16 to include the name of the victim organization, its reported acknowledgement of the attack, the status of the original and typosquatted websites, and reported comments from a representative of the XYZ domain registry.)


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.