Fraud Management & Cybercrime , Ransomware

BlackCat Spoofs Victim Website to Leak Stolen Data

Ransomware-as-a-Service Group Is a Pioneer in Typosquatting Domains to Spread Leaks
BlackCat Spoofs Victim Website to Leak Stolen Data
Image: W.Carter/CC BY-SA 4.0

The BlackCat ransomware-as-a-service group is trying out a new pressure tactic for victims to pay extortion: creating a spoofed website on the public internet revealing personal data stolen from its victim.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The group, also known as Alphv, allegedly stole 3.5GB of data from a U.S.-based small accounting firm. All that data is apparently available on the spoofed website, which resolves to a domain name one tiny spelling error away from the accounting firm's legitimate name.

"We created a clearnet site with the stolen data, we hope you enjoy it!" BlackCat wrote on its leak site. The stolen data is also on a file-sharing service whose link is on the leak site.

The data seen by Information Security Media Group appears to belong to the employees and clients of the accounting firm and contains cleartext passwords, employee details, audit reports, tax return details of its clients, driver's licenses and unredacted scans of passports.

As of early Tuesday evening, the spoof website is still online. WHOIS data shows an unnamed party - the registration is private - registered the typosquatted domain on Dec. 22.

Developing Trend

BlackCat used a similar method against an Oregon-based luxury spa and resort in a June attack. The group created a typosquatted website with a .xyz domain on the open internet to display employee and guest records of the spa and resort. At the time, the typosquatted website contained the personal data of 1,534 employees and spending totals of 2,789 named guests (see: BlackCat Extortion Technique: Public Access to Breached Data).

Threat actors invent new strategies all the time, said Brett Callow, a threat analyst at security firm Emsisoft, at the time.

"We've seen them transition from encryption-only attacks to encryption plus exfiltration, and now we're seeing them look for new ways to leverage the exfiltrated data," Callow told ISMG.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.