Ransomware gang deploys BlackCat to attack hotel and creates searchable website of hacked data

Ransomware gang deploys BlackCat to attack hotel and creates searchable website of hacked data

Cyber-criminal groups have recently ramped up their use of Ransomware-as-a-Service (RaaS) BlackCat/ALPHA-V, first identified by security researchers in November 2021, and upped the ante by publishing the hacked data on a dedicated website.

A criminal gang has deployed BlackCat ransomware to attack a US hotel, and has published the stolen data on a dedicated, indexable website.

BlackCat is written in the Rust programming language, which, as security researchers have pointed out, makes it more likely to evade cyber defences than older ransomware toolkits written in languages such as C++. This flexibility gives BlackCat cross-platform capabilities - and consequently a much larger range of targets.

Different criminal groups have different tactics, techniques and procedures (TTPs) for deploying BlackCat but their aims are universal. BlackCat hits victims with a double extortion. Data is not just encrypted, it's exfiltrated. If victims don't pay up to have the data decrypted and returned, the criminals demand payment for not releasing that data onto a website.

This is exactly what has reportedly happened to a hotel in Oregon, according to BleepingComputer. Employees had data including social security numbers leaked onto a searchable website. Customers also had data about their stays at the hotel and spa published.

The gang behind the attack invested time in creating employee packs - neat files where hotel employees could find all data pertaining to them.

RaaS has become an increasingly popular tool for criminals who aren't as technically gifted as some of their competitors. RaaS toolkits REvil and DarkSide were deployed in last years' Colonial Pipeline and JBS attacks.

The creation of the searchable files is a noticeable shift in tactics from the criminals deploying BlackCat, in that it make it clearer to victims that they have been hacked.

The gang has claimed multiple victims since last November, predominantly in the US and Europe, according to the FBI, which issued a white flash alert on BlackCat in April.