Ransomware Awareness – New Extortion Tactic Uses Spoofed Website of Victim to Publish Stolen Data

ALPHV/BlackCat, one of 2022’s most notable ransomware menaces, continues to evolve its data extortion tactics in ongoing attempts to coerce victims into paying. The most recent tactic involves the group creating a replica of a victim’s website to publish stolen data openly on the internet. While the domain name and appearance of the website closely resembles the victim’s legitimate site, ALPHV uses its own directory structure to organize the leaked data. At this time, it is unclear if this extortion tactic will prove successful, but this development does highlight the need for organizations to protect against domain spoofing as part of a ransomware resilience strategy.

As reported in WaterISAC’s Security & Resilience Update on December, 20, 2022, ALPHV/BlackCat was responsible for the attack against Empresas Públicas de Medellín (EPM), the Colombian public energy, water, and gas provider in December. Additionally, Suffolk County New York suffered a persistent compromise lasting eight months and twenty-one days at the hands of ALPHV/BlackCat.

Members may wish to consider purchasing domain monitoring to protect your domain name from being spoofed. Likewise, for more resources to help increase resilience against ransomware, visit CISA’s StopRansomware page. Check out BleepingComputer for more.

Additional Security & Resilience Update resources on ALPHV/BlackCat Ransomware

• Threat Awareness – Overview of BlackCat Ransomware (November 2, 2022)
• Threat Awareness – Ransomware Groups Attempting to Destroy Data Rather than Encrypt to Ensure Payouts (September 27, 2022)
• Threat Awareness – Emotet Botnet Now Delivering Quantum and BlackCat Ransomware (September 20, 2022)
• FBI FLASH – BlackCat/ALPHV Ransomware Indicators of Compromise (April 21, 2022)