Chris Swagler | January 18th, 2023

ALPHV ransomware operators are becoming more brazen with their extortion tactics, which now include creating a duplicate of their victims’ websites and publishing stolen data on them. ALPHV, also known as BlackCat ransomware, appears to be testing new extortion strategies to pressure and shame their victims into paying the ransom. Even though the tactics may fail, they introduce an ever-increasing threat landscape victims need to manage.

The threat actors explained they had infiltrated a financial services company on their data leak site concealed on the Tor network. Because victims didn’t comply with threat actors’ demands, BlackCat published all the stolen data files as punishment, a common practice used by ransomware operators. In a departure from the usual process, threat operators decided to leak the data on sites that resembles victims in appearance and domain name. Threat operators didn’t maintain the sites’ original headings. They organized the leaked data using their own headers. The cloned sites are on the open web ensuring that the stolen files are widely available. It presently displays various documents, including memos to staff, payment forms, employees’ information, assets and expense data, financial data for partners, and passport scans. There are 3.5GB of documents and ALPHV uploaded the stolen data to a file-sharing service allowing anonymous uploads and posting the link on its leak site.

Publishing the data on a typo-squatted domain can be a greater concern to the affected company than disseminating the data through websites on the Tor network, which is mostly known by the information security community. It wouldn’t be a surprise if ALPHV tried to weaponize companies’ clients by directing them to the websites.

Ransomware groups are constantly looking for new ways to extort their victims. Between publishing the compromised companies’ information, stealing data, threatening victims with a ransom, and DDoS threats, this method could be the start of a new trend that other ransomware groups might follow, especially given the low cost. It’s uncertain how successful the strategy will be at this time; however, it exposes the breach to a bigger audience, putting victims in a more vulnerable position because its data is freely available. ALPHV is the first ransomware group to provide a search engine for specific data obtained from their victims. Customers and employees of their victims can use the pages to see if their data was stolen by threat operators.

With ransomware groups looking for new methods to extort their victims, including cloning their websites to leak stolen data, it’s important for companies to remain alert to the current threat landscape and regularly update their network security infrastructure. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ data networks and handling their cyber incident response. It’s important for our engineers to know exactly what happened totheir environment when it comes to protecting their sensitive data. Our engineers will work with the companies’ teams on-scene to investigate the nature of the breach, conduct thorough data analysis, and execute a recovery plan to help companies return to their normal operations. ShadowSpear Platform, our integrable managed detection and response tool, uses detection engines powered by artificial intelligence and attack tactics, techniques, and procedures (TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.