BlackCat, the ALPHV ransomware gang, has created a website that allows customers and employees of their victim to check if their data was stolen in an attack.
Ransomware gangs typically quietly steal corporate data and harvest everything of value. After they’ve done this, the threat actor starts to encrypt devices.
The hackers then, in a double-extortion scheme, demand a ransom payment to deliver a decryptor and prevent public release of corporate data.
Ransomware gangs create data leak sites to pressure victims into paying.
These extortion techniques do not always work though. Some companies simply decide not to pay, despite risk of corporate, customer, and employee data being released.
Due to this, ransomware gangs evolve their tactics to apply additional pressure on their victims.
Yesterday, the AlphV/BlackCat ransomware operation began releasing allegedly stolen data that they claim was stolen from a hotel and spa in Oregon.
The ransomware gang claims to have stolen 112GB of data, including information about 1,500 employees, in this attack.
The ransomware gang have created a dedicated website that allows customers and employees to check if their data was stolen during the attack. On this site anyone can see information about hotel guests, employees, and other sensitive data. Traditionally, data is leaked via Tor sites.
While the guest data only contains names, stay costs, and arrival date, the employee data is much more sensitive and includes things such as Social Security Numbers, date of birth, phone numbers, and email addresses.
The threat actors have also created “data packs” for each employee that contain files all about that person’s employment at the hotel.
The site is hosted on the clear web (publicly) and is indexable by search engines. This means that the exposed data will likely be added to search results, which could be even more harmful for victims.
The goal of the site is to get the resort to pay a ransom.
Brett Callow, security analyst at Emisoft, discovered this new extortion strategy.
He said, to BleepingComputer, “Alphv is no doubt hoping that this tactic will increase the probability of them monetizing attacks. If companies know that information relating to their customers and employees will be made public in this manner, they may be more inclined to pay the demand to prevent it from happening – and to avoid potentially being hit with class action lawsuits.”
It is too early to tell whether or not it has been successful.
AlphV is believed to be a rebrand of the DarkSide/BlackMatter gang responsible for the attack on Colonial Pipeline, which brought these hacking groups to the media’s attention.
The ransomware gang has always been considered one of the top-tier ransomware operations. On the other hand, they’re also known for their crazy ideas that land them in trouble.