Alert of the Month- Dark Web Ransomware Bots and Breaches

The Alert of the Month for April 2022 is a ransomware data breach originating from the dark web but first found on Telegram.

Prefer to listen to the analysts themself? Watch our live stream on Linkedin.

This alert is a prime example of how difficult it can be to locate a data breach without external risk protection. Without visibility beyond the perimeter, this breach likely would have remained undetected for months and facilitated multiple cybercrimes. On March 22, at 2:04 AM, the platform identified a Telegram post mentioning our client on the channel of the Ransomware_bot, a group dedicated to following and announcing ransomware attacks. The bot’s latest post was sharing new offerings from the ransomware gang AlphVm a.k.a. BlackCat. BlackCat was offering A file with over 1000 GB of corporate data was available for purchase, allegedly, the data included client data, financial reports, contracts, and logistics. This information was available on the BlackCat website, easily accessible via a handy link in the Telegram post.   CybelAngel Cybersecurity Analyst Tania Abou Ltaif was assigned the initial alert and began her investigation. “Ransomware groups’ goal is to extort money. So they tend to talk up their holdings. We must confirm the threat and gather as much information as possible. Understanding who stole and what they stole will be vitally important for our customers so that we can help them resolve the issue.” When reviewing the data on offer, Tania confirmed “they had our client’s data, including financial reports, company contracts, logistics schedules, and accounting information. With such a wide array of information, there are many risks. You have competitive intelligence, network penetrations, social engineering, business losses, and image and reputation. Simple schemes like resubmitting old invoices with a new account number can steal millions from a company.” Tania noted that “BlackCat, a.k.a. AplhVM, is a sophisticated, professional malware operation. The group has garnered a reputation for aggressively posting details about their victims publically. As of now, BlackCat’s only online presence is an exclusive Onion site where they post updates on targets and activities.” “Ransomware bots like those we watch on telegram and other platforms act as content syndication for data exposures, so notifying the customer quickly is important. I collected everything and then contacted our REACT (REsearch and Analysis of Cyber Threats) team specializing in the dark web. Once I informed the client of the risk, they would have all the resources they needed,” said Tania. “When I informed, the client immediately began working with us on remediation. They were unaware of the incident, so they had a lot of questions from their Incident Response Team,” Tania explained. Seeing the client’s need for specialized help, Tania offered the REACT team to assist with the investigation and analysis of what was stolen. “Having dark web experts to speak with the client went a long way to reassuring the client and getting them set up for a successful response. CybelAngel’s world-leading external risk protection platform detects and resolves external threats well before they’re exploited. Named a “Best of Breed” by Gartner in 2021, organizations worldwide rely on CybelAngel to discover, monitor, and resolve external threats across all layers of the Internet, keeping their critical assets, brand, and reputation secure.