Ransomware group ALPHV (Blackcat) with new extortion techniques (searchable database)

Sicherheit (Pexels, allgemeine Nutzung)[German]The ransomware group ALPHV (also known as Blackcat) seems to be breaking new ground in extortion techniques. In the past, victims have already been threatened with the publication of captured data in order to get them to pay a ransom. Now, the ALPHV ransomware group seems to have set up a searchable database where victims' data can be searched. This poses the risk of data from these documents being misused for further abuse (supply chain attacks, identity theft, phishing).


Security vendor Cyble writes that it has observed several threat groups in the past that have used searchable databases to extort money from their victims. The Karakurt data extortion group uses this extortion technique.

Searchable Database created by Karakurt Data Extortion Group
Searchable database created by the Karakurt data ransomware group, source: Cyble

This is exactly the path that ALPHV ransomware group is taking now, as it has developed a tool called "ALPHV Collections" for searching keywords in leaked databases. The announcement was made the days, as the following screenshot says.

ALPHV Announcement
ALPHV announcement, source: Cyble

On June 14, 2022, the leak site in question posted sensitive details about one of its victims. In addition to the usual practice of uploading the stolen data to Tor websites, the group also created a website called victim_name.xyz, where the social security number (SSN), date of birth, and email address of the victim organization's employee could be searched. However, security researchers are aware of only one victim to date where this extortion technique was used.


Risk of supply chain attacks

Security researchers have observed several incidents in the past where thread actors (TAs) have used leaked credentials to launch supply chain attacks. Similarly, ALPHV Collections can be used by other perpetrators to spy on their future victims. Currently, the database does not contain many records, but that is likely to change in the future.

If credentials are found in leaked documents, thread actors can easily access and use these credentials of users to carry out attacks on the customers of victim organizations. Details can be found in this blog post from Cyble. It also provides guidance on what organizations can do.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *