In a new twist, threat actors use a typo squatted domain name to increase the chances that stolen data will be seen by the general public after not being paid the ransom.
The majority of ransomware attacks (last number was at 86% of them) utilize some form of data exfiltration to up the chances of being paid the ransom. Historically, when the data was published, it was posted to a specific website only available on the Tor network and only really accessible to hackers and the infosec community.
But a recent attack by the ALPHV ransomware gang (also known as BlackCat) takes a very dangerous turn. According to BleepingComputer, ALPHV copies the victims website (mostly for look and feel), modifies it to be the shell for the published stolen data, and then uses a lookalike domain name that could be reached by simply mistyping the victim’s domain name to make the data accessible to anyone attempting to do business with the victim organization.
The real danger here is if this becomes a trend. The last thing a victim organization wants is to have their customers seeing a well-organized set of leaked data; it demonstrates just how out of control the victim org really is and damages their reputation.
This advancement in tactics demonstrates why it’s absolutely necessary to be laser-focused on preventing ransomware attacks (and not be thinking you just want to be able to recover from them). Prevention starts (in most cases of ransomware) with stopping phishing attacks. As we know, 1 out of 10 attacks makes its way to the Inbox, making it necessary to assume that, despite the efficacy of security solutions, the organization needs Security Awareness Training to involve the user in strengthening the organization’s security stance.