Ransomware group clone victim’s site to leak stolen data

ALPHV ransomware attackers have been creative in their extortion tactics and created replicas of victims’ sites to post stolen data.

AlPHV (also known as ) is well-known for using extortion techniques to shame and pressure their victims into making payments.

These tactics are not always successful but they create an ever-increasing threat environment that victims must navigate.

Hackers make it easier for hackers to steal data

The threat actor posted on December 26th, hidden on Tor Network, that they had compromised financial services company.

BlackCat released all files stolen by the threat actor to punish the victim for not complying with his demands. This is a common step taken by ransomware hackers.

The hackers also leaked the data to a website that looked identical to the victim, in a departure from normal procedures.

ALPHV ransomware impersonates victim site to leak stolen data

source: BleepingComputer

Hackers didn’t keep the original site headings. To organize leaked data, they created their own headings.

To ensure that the files are easily accessible, the cloned website is available on the open web. The site currently displays various documents including memos for staff, payment forms and employee information. It also contains data about assets and expenses and financial data for partner.

ALPHV ransomware publishes stolen data on site impersonating the victim

source: BleepingComputer

There are approximately 3.5GB worth of documents. shared the stolen data via a file sharing service, which allows anonymous uploading. The link was also distributed on the leak site.

Trend setting in a new direction

is a threat analyst for cybersecurity company Emsisoft. He stated that sharing data from a typosquatted site would pose a greater risk to the victim than publishing the data via a Tor website, which is mainly known by the infosec community.

“I would not be surprised if Alphv tried to use the firm’s clients to their advantage by pointing them towards that website.”

This could be a start to a new trend, particularly since it is not expensive.

Ransomware gangs have been looking for ways to exort victims. This tactic, which includes publishing the name and data of the compromised company and threat to publish the information unless ransom is paid and using the DDoS warning, could be a start to a new trend.

Although it is not clear at the moment how effective this strategy is, it makes the breach more visible to an even larger audience and puts the victim in a much more difficult position since its data are readily accessible without restriction.

ALPHV was the first ransomware group to establish a taken from victims. These pages allow victims’ employees and customers to see if they have been hacked.