A ransomware operator created and used a fake website of one of its victims to post sensitive content stolen from one ransomware (opens in new tab) Attack.
The approach is a first that some security researchers believe is a weapon used by the victim’s clients.
Threat actors known as ALPHV (aka BlackCat) recently successfully launched a ransomware attack on a financial services company and made off with 3.5 GB of sensitive documents, including employee memos, payment forms, employee data, assets and expenses, financial data for partners, Passport scans and the like.
Typosquatte domains
The threats to release the data apparently didn’t work for the victim company, who apparently chose not to pay the ransom demand.
However, ransomware operators typically expose stolen data on the dark web, where it is mainly available to other criminals and security researchers. This time, ALPHV created a website on a typed domain that looks and feels almost identical to the victim’s legitimate website.
Speak with Beeping computerThreat analyst at Emsisoft, Brett Callow, said that leaking the data via a typosquatte domain might be a more malicious approach: “I wouldn’t be at all surprised if Alphv tried to arm the company’s customers by pointing them to this website ‘ Brett said Callow.
We’ll have to wait and see what the results of this approach would be, but it’s safe to assume that if it’s successful, we’ll see many more typosquat websites exposing sensitive company data.
Ransomware is a constantly evolving threat. First, the attackers would simply encrypt all files on the target endpoints and demand payment in Bitcoin.
As companies started providing backups, criminals began stealing sensitive data and threatening to leak it online. In some cases, this attack is also followed by a Distributed Denial of Service (DDoS) attack that disrupts the front end, as well as intimidation and persuasion via phone and email.
Above: Beeping computer (opens in new tab)
