BlackCat gang clones victim's website for data leak

BlackCat ransomware gang clones victim's website for data leak

Image:
BlackCat ransomware gang clones victim's website for data leak

The BlackCat ransomware gang has created a clone of a victim's website and uploaded stolen data to it as a new strategy to coerce and embarrass victims into paying up.

The ransomware group, also known as ALPHV and Noberus, posted on its data leak site last month that it had infiltrated a financial services company and was able to steal data from its systems.

Because the victim did not comply with BlackCat's ransom demands, the group made all of the stolen data public as a punishment. In a departure from its standard procedure, however, BlackCat published the information on a website that closely resembled the victim's own in appearance and domain name.

Hackers changed the site's original headings and created their own headers to organise the leaked data. They also hosted the cloned site on the open internet, so as many people as possible would be able to see the stolen data.

The website currently shows a variety of documents, such as staff memos, payment forms, employee information, data on assets and expenses, financial data for partners and passport scans: a total of 3.5GB of documents.

BlackCat has also uploaded the files anonymously to a file-sharing service and posted links to the stolen material on its own leak site, which remains hidden on the Tor network.

Brett Callow, a threat expert at the cybersecurity firm Emsisoft, said publishing the material on a typosquatted domain would cause more trouble for the victim than uploading the stolen data through a website on the Tor network.

"I wouldn't be at all surprised if Alphv had attempted to weaponise the firm's clients by pointing them to that website," Callow said.

The FBI believes BlackCat is linked to the DarkSide group, which was responsible for the Colonial Pipeline hack in 2021.

BlackCat was first seen in November 2021, but rose to prominence last year with a series of heists targeting fuel logistics and transportation service providers in Europe, and educational institutions in the USA.

According to ransomware remediation firm Coveware, BlackCat was the most active ransomware organisation in the second quarter of 2022, responsible for 16.9% of publicised attacks, followed by LockBit (13.1%), Hive (6.3%), Quantum (5.6%) and Conti V2 (5.6%).

In August, the BlackCat group claimed responsibility for hacking Creos, a gas and electricity supplier in Luxembourg.

Last month, Colombian energy company EPM (Empresas Públicas de Medellín) fell victim to a BlackCat ransomware attack, which disrupted the company's operations and took down its online services.