Threat operators belonging to the infamous ALPHV ransomware gang got creative recently when they switched up their extortion tactics with a brand-new technique. Experts observed that the notorious group used a replica they had created of the ransomware victim’s website to publish the data they had stolen from them.

Modus operandi of a ransomware gang

Known also by the name BlackCat ransomware, ALPHV has a reputation for trialling new extortion methods to heap pressure, and in some cases shame, on its victims to drive them to concede and pay ransom demands.

While these techniques are not always successful, they add to an increasingly complex threat landscape that ransomware targets and victims must attempt to navigate.

Towards the end of December last year, the threat group published on its dedicated data leak site obscured on a Tor network that it had compromised a firm in the financial services sector.

When the victim did not give in to the threat operator’s demands, ALPHV published every one of the stolen files as a penance. While this is a common step for many ransomware operators, what BlackCat did next represented a deviation from the standard process. The threat actors additionally leaked the stolen data on a bogus site that mimics the target’s website in terms of both appearance and domain name.

Operators at ALPHV did not retain the original headings of the website. Instead, they used headings of their own to organise the leaked information. The cloned site is visible on the clear web to support wide availability of the exposed stolen files. It displays various documents that include company memos to personnel, data on expenses and assets, payment forms, employee information, financial data on partners, and personally identifiable information (PII) such as passport scans.

A new trend for ransomware

Threat operators in the field of ransomware have always sought out new methods of extorting their targets. Between publishing the registered name of a breached company, exfiltrating data and then threatening to disclose it unless a ransom is paid, along with the Dedicated Denial of service menace, this technique could represent the beginning of a brand-new trend that could be copied and adopted by other gangs, with very little financial outlay involved.

Brett Callow, a leading threat analyst for the cybersecurity firm Emsisoft, commented that sharing the information using a typosquatted domain represented a larger concern for the victim company than the data being distributed via a site on the Tor network. He commented:

“I wouldn’t be at all surprised if ALPHV had attempted to weaponize the firm’s clients by pointing them to that website. This tactic could represent the start of a new trend that may be adopted by other ransomware gangs, especially since the costs to do it are far from significant.”

The leaked data amounted to 3.5GB worth of documents. BlackCat also shared the data via a file-sharing service that enables anonymous uploading and then distributed the link using its built-for-purpose leak site.