https://krebsonsecurity.com/2022/06/ransomware-group-debuts-searchable-victim-data/ Advertisement [9] Advertisement [29] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Ransomware Group Debuts Searchable Victim Data June 14, 2022 4 Comments Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form. [clearwebvictim] The ALPHV site claims to care about people's privacy, but they let anyone view the sensitive stolen data. ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim's name in the domain, and their logo on the homepage. The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two "Check Yourself" buttons, one for employees, and another for guests. Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV "a cunning tactic" that will most certainly worry their other victims. Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet. "Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL," Callow said. "It'll piss people off and make class actions more likely." It's unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results. "We are not going to stop, our leak distribution department will do their best to bury your business," the victim website reads. "At this point, you still have a chance to keep your hotel's security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time." Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations -- including REvil, BlackMatter and DarkSide -- offering affiliates up to 90 percent of any ransom paid by a victim organization. Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group -- "Darkside" a.k.a. "BlackMatter," the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer. Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group -- Cl0p. "On a positive note, stunts like this mean people may actually find out that their PI has been compromised," he said. "Cl0p emailed my wife last year. The company that lost her data still hasn't made any public disclosure or notified the people who were impacted (at least, she hasn't heard from the company.)" This entry was posted on Tuesday 14th of June 2022 03:53 PM A Little Sunshine Ransomware The Coming Storm ALPHV ransomware BlackCat ransomware Brett Callow Emsisoft Post navigation - "Downthem" DDoS-for-Hire Boss Gets 2 Years in Prison 4 thoughts on "Ransomware Group Debuts Searchable Victim Data" 1. Miguel June 14, 2022 How are they able to publish this kind of thing on the public internet? Surely it would be easy to trace the host and have it shutdown? Or is it in Russia or somewhere outside the reach of law enforcement? Reply - 1. Kurt Seifried June 14, 2022 It doesn't have to be online for very long, a lot of web hosts aren't super responsive or fast as this is a cost center for them. Reply - 2. Kurt Seifried June 14, 2022 What's fascinating to me is clearly companies aren't paying up, because... well who cares, right? Until someone cares and makes a lot of noise... I wonder how long until the ransomware people start contacting members of congress/your local member of parliament or whatever on your behalf "Hi, we have all the data for [name of your constituent] living at [address] because [company name] had crappy security." Reply - 3. Sus of HR June 14, 2022 It's common practice for companies to provide employee PII to vendors for "free trials" or preferred pricing on goods and services. It's not illegal, yet California has no law protecting employees from this practice whether a given employee consents by accepting that free trial or that goods/services discount or declines. There is no deterrence for company HR professionals to stop the practice, but with this spin on corporate ransomware there may now be. It's brand reputation damage and employees are largest consumers of their company's branding. PII leaks may put-off prospective employees, may impact retention, and may affect new business generation. Asking California to lead the way here. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [24] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Ransomware Group Debuts Searchable Victim Data * "Downthem" DDoS-for-Hire Boss Gets 2 Years in Prison * Adconion Execs Plead Guilty in Federal Anti-Spam Case * KrebsOnSecurity in New Netflix Series on Cybercrime * What Counts as "Good Faith Security Research?" Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security