{ "id": "518fe048-656a-4fac-90f5-f66748da6b37", "created_at": "2026-04-06T00:10:15.456483Z", "updated_at": "2026-04-10T13:11:34.735004Z", "deleted_at": null, "sha1_hash": "d7c71b5434bd6b37a6c5d814a011d8b9afc94119", "title": "Ransomware gang cloned victim\u0026rsquo;s website to leak stolen data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1951062, "plain_text": "Ransomware gang cloned victim\u0026rsquo;s website to leak stolen data\r\nBy Ionut Ilascu\r\nPublished: 2023-01-01 · Archived: 2026-04-05 18:54:14 UTC\r\nThe ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica\r\nof the victim's site to publish stolen data on it.\r\nIt appears that ALPHV, also known as BlackCat ransomware, is known for testing new extortion tactics as a way to pressure\r\nand shame their victims into paying.\r\nWhile these tactics may not be successful, they introduce an ever-increasing threat landscape that victims need to navigate.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHackers make stolen data easier to get\r\nOn December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a\r\ncompany in financial services.\r\nAs the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty - a standard step\r\nfor ransomware operators.\r\nAs a deviation from the usual process, the hackers decided to also leak the data on a site that mimics the victim's as far as the\r\nappearance and the domain name go.\r\nALPHV ransomware impersonates victim site to leak stolen data\r\nsource: BleepingComputer\r\nThe hackers did not keep the original headings of the site. They used their own headings to organize the leaked data.\r\nThe cloned site is on the clear web to ensure the wide availability of the stolen files. It currently shows various documents,\r\nfrom memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport\r\nscans.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nPage 3 of 5\n\nALPHV ransomware publishes stolen data on site impersonating the victim\r\nsource: BleepingComputer\r\nIn total, there are 3.5GB of documents. ALPHV also shared the stolen data on a file-sharing service that allows anonymous\r\nuploading and distributed the link on its leak site.\r\nNew trend forming\r\nBrett Callow, threat analyst at cybersecurity company Emsisoft, said that sharing the data on a typosquatted domain would\r\nbe a bigger concern to the victim company than distributing the data through a website on the Tor network, which is known\r\nmainly by the infosec community.\r\n“I wouldn't be at all surprised if Alphv had attempted to weaponize the firm's clients by pointing them to that website” Brett\r\nCallow\r\nThis tactic could represent the start of a new trend that may be adopted by other ransomware gangs, especially since the\r\ncosts to do it are far from significant.\r\nRansomware operations have always looked for new options to extort their victims. Between publishing the name of the\r\nbreached company, stealing data and threatening to publish it unless the ransom is paid, and the DDoS menace, this tactic\r\ncould represent the start of a new trend that may be adopted by other ransomware gangs, especially since the costs to do it\r\nare far from significant.\r\nIt is unclear at this time how successful is this stratagem but it exposes the breach to a larger audience, putting the victim\r\ninto a more delicate position as its data is readily available without any restriction.\r\nALPHV is the first ransomware gang to create a search for specific data stolen from their victims. The pages are for\r\ncustomers and employees of their victims to check if their data was stolen by the hackers.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/" ], "report_names": [ "ransomware-gang-cloned-victim-s-website-to-leak-stolen-data" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434215, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7c71b5434bd6b37a6c5d814a011d8b9afc94119.pdf", "text": "https://archive.orkl.eu/d7c71b5434bd6b37a6c5d814a011d8b9afc94119.txt", "img": "https://archive.orkl.eu/d7c71b5434bd6b37a6c5d814a011d8b9afc94119.jpg" } }