Cybercriminal groups that specialize in stealing corporate data and demanding a ransom for not publishing it have tried countless approaches to shame their victims into paying. The latest innovation in increasing heat comes from the ALPHV/BlackCat ransomware group, which has traditionally released all stolen victim data on the Dark Web. Today, however, the group has begun posting individual victims’ websites on the public internet, with the leaked data made available in an easily searchable form.
ALPHV recently announced on its victim humiliation and extortion website that it had hacked into a luxury spa and resort in the western United States. In the last 24 hours, ALPHV published a website with the same victim name in the domain and its logo on the homepage.
The website claims to list the personal information of 1,500 station employees and more than 2,500 residents of the facility. At the top of the page are two “Verify yourself” buttons, one for employees and another for guests.
Brett Callowa threat analyst from security firm Emsisoft, called ALPHV’s move a “cunning tactic” that will most certainly worry their other victims.
Callow said most of the victim-shaming blogs maintained by major ransomware and data ransomware groups exist on obscure, slow-loading sites on the Darknet, accessible only through the use of third-party software like Tor. But the website erected by the ALPHV as part of this new means of pressure is available on the open internet.
“Companies will likely be more concerned about the prospect of their data being shared in this way than just being posted to an obscure Tor site whose URL almost no one knows,” Callow said. “It’s going to piss people off and make class action lawsuits more likely.”
It’s unclear if ALPHV plans to continue this approach with every victim, but other recent victims of the crime group include a school district and a US city. This is most likely a test to see if it improves results.
“We’re not going to stop, our leak distribution department will do their best to bury your business,” reads the victim’s website. “At this stage, you still have a chance to preserve the safety and reputation of your hotel. We urge you to be proactive in your negotiations; you don’t have much time.
Emerged in November 2021, ALPHV is perhaps most notable for its programming language (it’s written in Rust). ALPHV has actively recruited operators from several ransomware organizations – including REvil, BlackMatter and DarkSide – offering affiliates up to 90% of any ransom paid by a victim organization.
Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group — “Dark side” a.k.a “BlackMatterthe same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.
Callow said there could be an upside to this ALPHV innovation, noting that his wife recently heard first-hand about another ransomware group – Cl0p.
“On a positive note, stunts like this mean people may actually find out that their IP has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made a public disclosure or informed those affected (at least they haven’t heard back of the company.)”