BlackCat Spoofs Victim Website to Leak Stolen Data

The BlackCat ransomware-as-a-service group is trying on a new pressure tactic for victims to pay extortion: Creating a spoofed website on the public internet revealing personal data stolen from its victim.

See Also: Phishing 101: How to Not Fall for a Phishing Attack

The group, also know as Alphv, allegedly stole 3.5 gigabytes of data from a U.S.-based small accounting firm. All that data is apparently available on the spoofed website, which resolves to a domain name one tiny spelling error away from the accounting firm’s legitimate name.

“We created a clearnet site with the stolen data, we hope you enjoy it!” BlackCat wrote on its leak site. The stolen data is also on a file-sharing service whose link is on the leak site.

The data seen by the Information Security Media Group appears to belong to the employees and clients of the accounting firm and contains clear text passwords, employee details, audit reports, tax return details of its clients, drivers licenses and unredacted scans of passports.

As of early Tuesday evening, the spoof website is still online. WHOIS data shows an unnamed party – the registration is private – registered the typosquatted domain on Dec. 22.

Developing Trend

BlackCat used a similar method against an Oregon-based luxury spa and resort in a June attack. The group created a typosquatted website with a .xyz domain on the open internet to display employee and guest records of the spa and resort. At the time, the typosquatted website contained the personal data of 1,534 employees and spending totals of 2,789 named guests (see: BlackCat Extortion Technique: Public Access to Breached Data).

Threat actors invent new strategies all the time, said Brett Callow, a threat analyst at security firm Emsisoft, at the time.

“We’ve seen them transition from encryption-only attacks to encryption plus exfiltration, and now we’re seeing them look for new ways to leverage the exfiltrated data,” Callow told ISMG.