Chris Swagler | June 22nd, 2022

The ransomware group ALPHV or BlackCat has expanded the cyber extortion landscape by creating a dedicated website allowing customers and employees of attack victims to verify if their data was stolen during a breach. When ransomware groups launch an attack, they quietly steal companies’ data, and the threat actors begin encrypting devices after harvesting everything valuable. The stolen data is utilized in double-extortion schemes, in which threat actors demand a ransom payment in exchange for a decryptor, preventing the public release of company data.

Ransomware groups pressure victims into paying by creating a data leak website where they reveal portions of stolen data or email customers and employees warning them that their data was stolen. However, these extortion methods don’t always work as companies refuse to pay despite the risk that their corporate, employee, and customer data can be leaked. As a result, ransomware groups are continually refining their tactics to put additional pressure on victims.

The ALPHV/BlackCat ransomware operation is currently releasing supposedly stolen data, claiming it was obtained from an Oregon hotel and spa. The ransomware group, as part of the attack, claims to have stolen 112GB of data, including information on 1,500 employees, including Social Security numbers. Rather than simply leaking the data on their normal Tor site, the ransomware group went a step further and developed a public website for employees and customers to verify if their data was stolen during the hotel cyberattack. Employees, customers, or anyone can use this site to view information about hotel guests and employees’ personal information.

Even though customer guests’ data contains only names, arrival dates, and stay costs, employees’ data includes very sensitive information. Threat actors created “data packs” for employees containing files related to peoples’ employment at the hotel. Because the website is hosted on the public internet, search engines can index it and the disclosed information will likely be included in search results, making it potentially worse for victims.

The purpose of the website is to scare hotel employees and guests into demanding that their data be removed from the internet, which can be done only by paying the ransom. The ransomware group is hoping the tactic will increase their chances of monetizing attacks. Companies are willing to pay the demand if they know the information on their customers and employees will be made public in this manner to avoid potentially facing class-action lawsuits. Even though it’s an innovative strategy, it’s unclear whether the technique will be successful or become more common.

ALPHV is believed to be the rebranded DarkSide/BlackMatter ransomware group responsible for the Colonial Pipeline cyberattack, which brought these ransomware groups to the media’s attention and brought international law enforcement and the United States government’s full attention to them. The ALPHV ransomware group has been regarded as one of the top-tier ransomware operations. The ransomware group spent a significant amount of time setting up the website with individual employee data packs. Time will only tell if their efforts will pay off.

With ransomware groups constantly evolving their tactics and techniques to extort more ransom from their victims, it’s critical for companies to always remain alert to the current threat landscape and regularly update their data network security infrastructure. At SpearTip, our certified engineers are continuously monitoring companies’ networks for potential ransomware like ALPHV and are ready to respond to incidents at a moment’s notice. We examine companies’ entire security posture to improve the weak points in their network and measure the maturity of the technical environment. Our ShadowSpear Platform integrates with IT and security technology partners to enable the correlation of events from firewalls and network devices on a single pane of glass. We work in tandem with companies’ security teams to ensure the strongest security and protection of their business-critical data.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.