BlackCat ransomware crims threaten to directly extort victim's customers

The AlphV/BlackCat ransomware group said it plans to "go direct" to the clients of a firm it allegedly attacked to extort them, claiming to have infiltrated the systems of accounting software vendor Tipalti.

BlackCat claims it has had access to Tipalti's systems since September 8 and alleges that since then it has managed to exfiltrate more than 265GB of "confidential" data belonging to the company, its employees, and its clients. Tipalti said it is "thoroughly" investigating the gang's claims.

The criminals believe their chances of getting an extortion payment from Tipalti directly are slim, based on their apparent understanding that Tipalti's cyber insurance policy doesn't cover extortion and – or so it claims – an evaluation of its internal discussions suggesting they would not engage with cybercriminals.

So, instead of applying the varying degrees of extortion tactics on Tipalti, AlphV/BlackCat said it would instead extort the vendor's clients directly, threatening to start with Roblox and streaming platform Twitch.

The gang went on to say if the two clients don't meet its extortion demands, then data will be published slowly, over a period of months, to maximize the damage to the companies' public image.

BlackCat cited Roblox's previous extortion incident from July 2022 as another reason why it publicized the claim of the attack, due to the video game giant allegedly stalling negotiations repeatedly and ultimately refusing to pay on that occasion.

The gang, also known as AlphV, also used the incident to justify its plans to go further down the rabbit hole and extort Roblox's affected stakeholders individually, including the developers for the game's content hub. The gang allegedly has significant confidential data such as tax documents in their possession.

"If you are not prepared to talk figures within two hours of receiving the file lists or samples, we will immediately resort to the strategies we have mentioned earlier," it said. "There is no room to negotiate for these two companies, you either pay or you don't."

In a Tuesday update, AlphV/BlackCat said it has already contacted the first batch of victims, a group of organizations that have had the most amount of data stolen from them.

Dirk Schrader, field CISO EMEA and VP of security research at Netwrix, said the new negotiation tactics on display aren't surprising given AlphV/BlackCat's more recent stunts.

"While AlphV's tactic to try to extort an indirect victim has not been seen before, it is not a surprise," Schrader told The Register. "AlphV has previously shown that it will use all kinds of threats to achieve its main aim – earning money."

Brett Callow, threat analyst at Emsisoft, agreed that the behavior is typical of ransomware groups that continually test the effectiveness of different tactics.

"Like legitimate businesses, cybercriminals constantly experiment and a/b test in order to work out which strategies are the most effective," he said. "Some strategies – like baking cakes or filing SEC complaints – are intended to keep incidents in the headlines as that puts additional pressure on victims. In other words, they try to weaponize the press."

"Organizations – regardless of their size – will have to prepare themselves and their supply chains for this increased pressure," Schrader added. "With the evolvement of a threat, it is not sufficient anymore for organizations to be managing their own attack surfaces, namely data, identities, and infrastructure. A coordinated look at the type of data held by a partner, the accounts and privileges held by a third-party supplier, followed by a conversation about this kind of scenario is the best approach going forward."

• Okta data breach dilemma dwarfs earlier estimates
• BlackCat claims it is behind Fidelity National Financial ransomware shakedown
• Ransomware crooks SIM swap medical research biz exec, threaten to leak stolen data
• Florida man jailed after draining $1M from victims in crypto SIM swap attacks

In addition to Roblox and Twitch, Tipalti's website lists an array of other high-profile customers, including Discord, Canva, GoDaddy, and Twitter/X. The Register has contacted each but most did not respond.

Tipalti was one of the few to reply, with a spokesperson saying: "Over the past weekend, a ransomware group claimed that they allegedly gained access to confidential information belonging to Tipalti and its customers. Tipalti takes the security of our systems and data very seriously and has strong security protocols and tools in place. We are thoroughly investigating this claim."

Used car dealer Cazoo – also a Tipalti customer – responded saying it would ask questions internally and consider a response. 

X's press email predictably auto-replied with "busy now, please check back later" – what it now sends every reporter since Musk sacked the comms team shortly after the takeover. At least it's not the poop emoji anymore. ®