The criminals believe their chances of getting an extortion payment from Tipalti directly are slim, based on their apparent understanding that Tipalti's cyber insurance policy doesn't cover extortion and - or so it claims - an evaluation of its internal discussions suggesting they would not engage with cybercriminals.
Instead of applying the varying degrees of extortion tactics on Tipalti, AlphV/BlackCat said it would instead extort the vendor's clients directly, threatening to start with Roblox and streaming platform Twitch.
The gang went on to say if the two clients don't meet its extortion demands, then data will be published slowly, over a period of months, to maximize the damage to the companies' public image.
BlackCat cited Roblox's previous extortion incident from July 2022 as another reason why it publicized the claim of the attack, due to the video game giant allegedly stalling negotiations repeatedly and ultimately refusing to pay on that occasion.
The gang, also known as AlphV, also used the incident to justify its plans to go further down the rabbit hole and extort Roblox's affected stakeholders individually, including the developers for the game's content hub.
The gang allegedly has significant confidential data such as tax documents in their possession.
In a Tuesday update, AlphV/BlackCat said it has already contacted the first batch of victims, a group of organizations that have had the most amount of data stolen from them.
Dirk Schrader, field CISO EMEA and VP of security research at Netwrix, said the new negotiation tactics on display aren't surprising given AlphV/BlackCat's more recent stunts.
Brett Callow, threat analyst at Emsisoft, agreed that the behavior is typical of ransomware groups that continually test the effectiveness of different tactics.
In addition to Roblox and Twitch, Tipalti's website lists an array of other high-profile customers, including Discord, Canva, GoDaddy, and Twitter/X. The Register has contacted each but most did not respond.
Used car dealer Cazoo - also a Tipalti customer - responded saying it would ask questions internally and consider a response.
This Cyber News was published on go.theregister.com. Publication date: Tue, 05 Dec 2023 13:13:05 +0000