ALPHV ransomware adds data leak API in new extortion strategy


The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on their victims to pay a ransom by providing an API for their leak site to increase visibility for their attacks.

This move follows the gang’s recent breach of Estée Lauder that ended with the beauty company completely ignoring the threat actor’s effort to engage in negotiations for a ransom payment.

API calls and Python crawler

Multiple researchers spotted earlier this week that the ALPHV/BlackCat data leak site added a new page with instructions for using their API to collect timely updates about new victims.

APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols.

Malware research group VX-Underground pointed to the new section on ALPHV’s site but it appears that the “feature” has been partially available for months though not to the larger audience.

The ransomware gang posted the API calls that would help fetch various information about new victims added to their leak site or updates starting a specific date.

“Fetch updates since the beginning and synchronize each article with your database. After that any subsequent updates call should supply the most recent `updatedDt` from prevoiusly [sic] synchronized articles + 1 millisecond,” the gang explained.

Read more…