The Alphv (aka BlackCat) ransomware group is trying out a new tactic to push companies to pay for their post-breach silence: a clearnet (public Internet) website with sensitive data about the employees and customers stolen from a victim organization.
Alphv has created a @haveibeenpwned-like site on the clearnet where the employees and customers of a victim organization can check if their personal info. has been compromised. 1/3 pic.twitter.com/95BWwRPvhD
— Brett Callow (@BrettCallow) June 14, 2022
Like some other ransomware gangs before them, they will also probably use the compromised information to directly contact the affected individuals and notify them about their personal, financial and medical information being available online to anyone who knows how to search for it.
A new tactic: A leak site accessible to everyone
Brett Callow, a threat analyst at Emsisoft, noted that “Alphv is a rebrand of BlackMatter which was a rebrand of DarkSide which was used in the attack on Colonial Pipeline.”
According to Emsisoft, ALPHV usually targets large organizations with the resources and motivation to pay large ransom demands. It wields the BlackCat ransomware, which can infect both Windows and Linux machines.
“As ALPHV operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack can vary from incident to incident,” they added. Microsoft’s researchers have recently released a rundown of the tactics, techniques and procedures (TTPs) used by its various affiliates.
Many ransomware gangs have previously set up data leak sites to pressure victim organizations to pay the asked-for ransom, but they were usually set up on the dark web and inaccessible by those who don’t know how to use specific software (e.g., the Tor Browser).
In this latest development, the leak website leading to employee and customer information ostensibly stolen from a Oregon company in the hospitality industry is accessible via a regular browser and has been indexed by various search engines.
Affected individuals can use the search box to check whether their information has been compromised, and even download the full set of data and documents that have been stolen from the targeted company.
For employees, these can include information such as email and phone number, Social Security number, date of birth and other sensitive information contained in tax forms, results of medical tests and background checks, and so on. For customers, the stolen info is limited to their names, the check-in date, and the amount they paid for their stay.
With examples such as this one, this new approach should (in theory) exert some extra pressure on victim organizations, and bring an additional set of problems to those that refuse to pay (e.g., potential class action suits).
But only time will tell whether this line of action will actually work. If it does, we can expect other ransomware gangs/affiliates to follow suit.