Public Access to Breached Data

Public Access to Breached Data

Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

BlackCat User Publishers Downloadable Stolen Data on Typosquatted Website

Mihir Bagwe (MihirBagwe
June 15, 2022

Public Access to Breached Data
Screenshot of the typosquatted website’s home page (Source: ISMG)

Operators of the BlackCat ransomware as a service appear to be using a new extortion technique: creating a dedicated website on the public internet revealing personal data stolen from victims.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

On Tuesday, the BlackCat “name and shame” website published a link to an open website resolving to a typosquatted domain containing the personally identifiable information of thousands of individuals. The data appears to belong to employees of an Oregon wine country luxury spa and resort. As of late afternoon today, the typosquatted site appears to be offline.

Information Security Media Group is withholding the identity of the company to protect the privacy of its employees and guests, whose names, check-in dates and spending totals are also online. The luxury resort has not responded to requests for comment. Although the attack has not been confirmed, the resort’s website was inaccessible until shortly before publication.

Screenshot of a redacted post on BlackCat ransomware group’s “name and shame” site. (Source: Nicholas Carroll)

Posting online personal data stolen from a victim marks an escalation in criminal ransomware technique. Rather than slowly releasing stolen data on hidden websites to ramp up the pressure on victims to pay, this threat actor may be counting on a “shock and awe” approach. In a warning posted online, it forewarns that, without a forthcoming payment, it will release the resort’s “entire accounting” onto the public internet. “We are not going to stop, our leak distribution department will do their best to bury your business,” the operators say.

Threat actors invent new strategies all the time, says Brett Callow, a threat analyst at security firm Emsisoft.

“We’ve seen them transition from encryption-only attacks to encryption plus exfiltration, and now we’re seeing them look for new ways to leverage the exfiltrated data,” Callow says.

As is the usual procedure for victims of BlackCat ransomware, the victim reportedly must establish contact with its hackers via Tor, shows a tweet from self-described “greying beard” cybersecurity professional Nicholas Carroll

The Typosquatted Website

The typosquatted site shows a note threatening reputational damage if the victim company does not initiate negotiations. The website does not specify the ransom amount demanded or show the ransom note.

The attacker adds that the victim does not “have much time” to initiate negotiations, without specifying the deadline.

The typosquatted domain resolves to a [.]xyz top level domain, instead of the company’s correct [.]com domain. The typosquatted website contains the personal data of 1,534 employees and spending totals of 2,789 named guests.

The site’s WHOIS entry shows a private individual supposedly with a Hong Kong mailing address registered the domain on May 31.

A screenshot showing redacted PIIs on the typo-squatted search site. (Source: ISMG)

Leaked employee data includes first and last names, dates of birth, phone numbers, email IDs and Social Security numbers. There’s also an option to download the “full data” of any individual on the list in a [.]zip format.

The zip files also contain sensitive data, including employee background checks, direct deposit agreements, medical information, emergency contact information, employment eligibility Form I-9 and employee withholding Form W-4, drug screening reports, offer letters and identity card data.

A redacted screenshot of what appear to be W-4 and I-9 forms of employees, published on the typosquatted site. (Source: ISMG)

Other Victims

BlackCat, also known as ALPHV, has quickly gained prominence as a provider of ransomware malware to an extended group of affiliates since first being spotted in the wild late last year. Analysis by cybersecurity firm Varonis shows the group actively recruiting operators with promises that affiliates can keep 90% of victims’ payouts. Recent victims of BlackCat ransomware include several educational institutes, such as the University of Pisa, French educational institute Ecole des Ingénieurs de la Ville de Paris, the Florida International University, the North Carolina Agricultural and Technical State University. Also in the list is a Canadian public school district in Saskatchewan (see: BlackCat Attacks University of Pisa, Demands $4.5M Ransom

Leave a Comment

Your email address will not be published.