The Shift from RSS Feeds in Data Extortion
ALPHV ransomware has gained attention recently due to its distinctive and unconventional methods deployed on its leak sites. Recently ALPHV ransomware released a Python crawler designed to synchronize their leak posts and attachments with any database. The crawler has a feature that ensures that only modified or new articles are considered for synchronization by utilizing the updatedDt field.
The figure below shows the API feature mentioned on the ALPHV leak site.
Based on our analysis, there are several possibilities for the API implementation and its release. One of them could be:
- Simplifying the data extortion process. People can use the API to interact with the extortion site and automate the extraction of old and newly created leak posts and their attachments.
The API release might increase the risk of data being available to multiple threat actors and groups. Previously, we have observed instances where scammers retrieve data from these sites and leverage it for illicit purposes or parse / extract sensitive documents and Personally Identifiable Information (PII) data relevant for monetizing on the cybercrime forums.
Background
ALPHV, or “Blackcat”, is an advanced ransomware strain based on the Rust programming language. With potential affiliations to BlackMatter and DarkSide ransomware groups, ALPHV operates under the Ransomware-as-a-Service (RaaS) model, allowing affiliates access to pre-developed ransomware tools. Employing a combination of extortion techniques, the Threat Actors (TAs) exfiltrate and encrypt victim data. In the event of non-payment, the group resorts to data publication on their leak site. Notably, ALPHV has introduced new tactics, offering leaked data in a searchable format and creating spoofed domains of victims to leak their data.
The majority of ALPHV ransomware victims are from the United States, with victims spanning across the globe.
The figure below shows the heat map of ALPHV ransomware.
Analysis
In the past, there were several data leak sites operated by ransomware groups that offered the feature of RSS feeds. These feeds allowed people to receive alerts whenever changes were made to the leak site. As a result, even less technically skilled individuals could quickly access details of any updated or new victim’s posts without relying on automation.
The figure below shows the RSS feed option available on data leak sites.
Recently the ALPHV ransomware released an API for fetching content from their leak site. This API allows the extraction of historical data and the option of synchronizing new posts or updates made on the leak site. This API can also be used to fetch attachments from victims’ posts.
The following statements are mentioned on the leak site by the operator of the ransomware group:
“Usage
Fetch updates since the beginning and synchronize each article with your database.
After that any subsequent updates call should supply the most recent `updatedDt` from prevoiusly synchronized articles + 1 millisecond.”
This group has also shared a Python crawler on their leak site, shown in the figure below.
The release of this API can be attributed to various reasons, one of which involves its utilization for broader coverage of activities and facilitating extortion schemes. Additionally, before integrating the API, individuals were resorting to their own toolsets or relying on third-party feeds and open-source tools to monitor such sites.
However, these methods often impose excessive server load, particularly considering the frequent DDoS attacks on leak sites. To address this issue, the integration of the API by TAs might have been implemented as a measure to mitigate the server load to some extent.
Conclusion
Implementing an API on a data extortion site raises concerns, as inexperienced threat actors could potentially exploit it for malicious purposes. By deploying the API, the scope of their activities widens, allowing such actors to target a larger number of potential victims and strengthen their extortion schemes.
Moreover, the API integration could serve a crucial purpose, which is to tackle the server load problems arising from using third-party tools for monitoring data leak sites. The reliance on these external tools often imposes unnecessary strain on the servers, particularly in light of the frequent Distributed Denial of Service (DDoS) attacks commonly faced by leak sites.
Our Recommendations
- Define and implement a backup process and secure those backup copies by keeping them offline or on a separate network
- Monitor darkweb activities for early indicators and threat mitigation
- Enforce password change policies for the network and critical business applications or consider implementing multi-factor authentication for all remote network access points
- Reduce the attack surface by ensuring that sensitive ports are not exposed to the Internet
- Conduct cybersecurity awareness programs for employees, third parties, and vendors
- Implement a risk-based vulnerability management process for IT infrastructure to ensure that critical vulnerabilities and security misconfigurations are identified and prioritized for remediation
- Instruct users to refrain from opening untrusted links and email attachments without verifying their authenticity
- Deploy reputed anti-virus and internet security software packages on your company-managed devices, including PCs, laptops, and mobile devices
- Turn on the automatic software update features on computers, mobiles, and other connected devices
