A recent intriguing analysis by the threat intelligence services provider, Clearsky (https://www.clearskysec.com/) looked into the alleged ransomware attack against the fintech and global payments services provider ‘Tipalti’ by the notorious ransomware as a service (RaaS) operator ALPHV, a.k.a BlackCat.
The analysis points out several novelties, even peculiarities we do not usually see in ransomware attacks. Basically, this is another chain of supply attack, but this time with a twist. For the detailed analysis, see the report attached below, but few points are worth mentioning and digging into here.
First, the threat actor claims he will refrain from blackmailing the direct victim ‘Tipalti’, declaring instead he will concentrate on its clients, starting from Roblox, a publicly traded company (NYSE: RBLX ; https://www.marketwatch.com/investing/stock/rblx) , and Twitch, an Amazon company. ALPHV maybe directly forsakes extorting ‘Tipalti’ but the wording used in the public announcement they published is aimed at causing significant harm to the company and expose it to multiple legal and reputational threats (https://twitter.com/DarkWebInformer/status/1731139519129231822).
Then, the news of the attack were allegedly made known to the main victim by a public announcement rather than a discreet message urging it to pay and avoid publicity.
ALPHV also claimed that they were helped by an insider, whom they still control as the episode unfolds, a level of candor CIPTeam encounters for the first time, exposing an alleged underbelly of the victim.
The threat actor claims he will publish sensitive data of Tipalti’s clients timed with the opening of the market on the coming Monday and allows the victims merely two hours to negotiate a payment, a timeframe seldom seen in ransomware cases.
Some of the claims ALPHV made seem to be unrealistic as they potentially undermine their cause or unnecessarily expose and endanger methods and means, specifically the use of an internal source within Tipalti, that is still being run while the saga continues. Most of the chances are the claim is not true and is aimed at wreaking havoc across Tipalti and its clients.
Interestingly, both Tipalti and Roblox claimed no knowledge of the attack or the data breach but the question to be asked is ‘Does the public need evidence of an attack or maybe, the claim itself is a powerful blow to a victim’s reputation’? It seems to provoke people to query ‘Tipalti’ in conjunction with the terms ‘breach’ and ‘safe.’
The last interesting fact about this alleged attack was the disappearance of the threat actor off the air. On December 07, 2023, the data-leak website for the ALPHV went offline and has remained offline for more than 30 hours. Rumor had it that the threat actor was target to a law enforcement operation, while an anonymous speaker for ALPHV claimed the outage is temporary and caused by a technical issue. Fact is that no law enforcement agency published the operation (while they usually do in similar circumstances).
As for the current state of affairs, the leak site of ALPHV is back on air, but empty of victims and their data (https://twitter.com/Cyberknow20/status/1734271359566635358). This is certainly good news to past victims, at least those who did not have their data encrypted and were “only” blackmailed for the one breached.
As for Roblox, the stock seemed to take a dip after the alleged breach was published, but seems to return to earlier positions as the company announced a thorough investigation showing no evidence of a breach
So, what would be the takeaways from this?
- You don’t have to be actually breached. Sometimes a claim could be enough to create a corporate headache.
- A swift investigation and transparent action seem to be face savers, as long as nothing was found.
Threats to one’s reputation work both ways. Threat actors have their own to maintain…