{ "id": "ae2ab4a8-93b6-4121-b5ce-12a266fa2f8b", "created_at": "2026-04-09T02:24:12.878069Z", "updated_at": "2026-04-10T13:12:12.052388Z", "deleted_at": null, "sha1_hash": "ed885645dad7d4f11e5589f4a326465ca3327c43", "title": "\"BlackCat\" attempts to up the pressure on Suffolk County; starts to leak data? - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54387, "plain_text": "\"BlackCat\" attempts to up the pressure on Suffolk County; starts\r\nto leak data? - DataBreaches.Net\r\nPublished: 2022-09-25 · Archived: 2026-04-09 02:18:43 UTC\r\nSince September 8, Suffolk County has been trying to recover from a cyberattack by a ransomware group known\r\nas “ALPHV” or “BlackCat.” The attack disabled the county’s 911 system as well as other services. The county\r\nreverted to older methods for handling essential county operations, dispatching, and paying bills. State police have\r\nalso provided support for some services. Still, this incident will undoubtedly result in questions about whether\r\ncounty executives and legislators made prudent decisions about cybersecurity and cyberinsurance and were\r\nprepared for a ransomware attack.\r\nOn September 15, DataBreaches reported that BlackCat had claimed responsibility and provided some proof of\r\naccess to county files.\r\nhttps://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/\r\nPage 1 of 4\n\nA message posted by BlackCat attempts to pressure the county into paying them. Such messaging by\r\nthreat groups is common.\r\nhttps://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/\r\nPage 2 of 4\n\nBut BlackCat did more than that. Shortly after that, they published a second statement to the county. Their second\r\nstatement was typical of such statements by ransomware gangs:  they talk about how the public’s information will\r\nbe dumped, how the executives will suffer politically, and how they (BlackCat) stand ready to help the county\r\nrestore its systems if the county contacts them and negotiates a “SMALL REWARD FOR OUR WORK TO FIND\r\nVULNERABILITIES ON THE SUFFOLK COUNTY COMPUTER NETWORK.”\r\nSince the county first disclosed the incident, DataBreaches suggested that reporters who contacted this site ask the\r\ncounty, “Does the county have a usable backup that it can use to restore systems?” DataBreaches didn’t suggest\r\nreporters ask the county if it has a cyberinsurance policy to cover the costs of recovery and mitigation, but it turns\r\nout they don’t.\r\nDid BlackCat know that the county had no cyberinsurance that would cover a ransom payment? Many\r\nransomware groups research their targets or potential victims and know what cyberinsurance they have. What did\r\nBlackCat know? And how much ransom did BlackCat demand as a “small reward?”\r\nDataBreaches is not suggesting that the county should have paid any ransom. But what will incident response and\r\nrecovery from this attack cost? When they decided not to purchase cyberinsurance, did they accurately estimate\r\nthe costs of an incident like this?\r\nWhich brings us back to my original question: does the county have a current and usable backup they can use to\r\nrestore from?  Some screencaps posted by BlackCat suggest that the answer to that question might not be\r\nencouraging.\r\nBill Toulas of Bleeping Computer recently reported on changes BlackCat has made as they upgrade and evolve.\r\nHe reported:\r\nAnother recent addition to BlackCat’s info-stealing capacity is the deployment of a new malware called\r\n“Eamfo,” which explicitly targets credentials stored in Veeam backups.\r\nThis software is typically used for storing credentials to domain controllers and cloud services so that\r\nthe ransomware actors can use them for deeper infiltration and lateral movement.\r\nLooking at the screencaps posted by BlackCat on their leak site, DataBreaches noticed one in particular concerned\r\nwith backups:\r\nBackup infrastructure information\r\nA screencap provided by BlackCat shows the backup infrastructure. Three backup proxies appear to\r\nbe identified as “disabled,” and 12 managed servers appear “unavailable.” Names of servers and\r\ndescriptions redacted by DataBreaches.net.\r\nThe image appears to be taken from a Veeam Backup \u0026 Replication tool — the very tool that would run backups\r\nand assist with recovery from a data disaster. If BlackCat got this far, what did they do next?  DataBreaches sent\r\nan email inquiry to the county asking about the availability of usable backups, but no reply has been received as\r\nyet.\r\nhttps://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/\r\nPage 3 of 4\n\nYesterday, BlackCat published another update. This one claims they\r\nare making 400 GB of county and contractor data available. DataBreaches could not confirm the claim because\r\ntheir site has timed out on all connection attempts. If they have leaked 400 GB of files, that would be 10% of what\r\nthey claim to have acquired.\r\nAs Brett Callow of Emsisoft recently reminded people, at least 37 local governments in the U.S. have been hit by\r\nransomware this year; over half of them had data stolen. According to a spokesperson for the county who gave a\r\nstatement to Newsday, Suffolk has spent $6.5 million on cybersecurity since 2019 and has been collaborating with\r\nthe New York State Association of Counties to explore the possibility of obtaining cyber insurance. Perhaps this\r\nincident will be a cautionary tale for all the other NYS counties that do not have cyberinsurance. Even when a\r\nvictim decides not to pay any ransom demand, incident response and mitigation costs may be very costly.\r\nTaxpayers in Suffolk County will eventually learn how costly.\r\nSuffolk County residents can obtain information on county services and updates at\r\nhttps://www.suffolkcountyny.gov/. The county advises residents to be vigilant about monitoring any financial or\r\ncredit accounts for signs of fraud and offers information on placing fraud alerts and security freezes. \r\nUpdate:  Suffolk County did not reply to the inquiry about backups, but DataBreaches was able to contact\r\nBlackCat to ask them whether they had deleted all backups or if the county had any backups left by them.  Their\r\nadmin answered: ” Hi, they should have removed everything, I can clarify now.”  Well, “should have” and “did”\r\nare not quite the same, but it sounds like their intention was to delete all backups.\r\nSource: https://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/\r\nhttps://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/" ], "report_names": [ "blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701452, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed885645dad7d4f11e5589f4a326465ca3327c43.pdf", "text": "https://archive.orkl.eu/ed885645dad7d4f11e5589f4a326465ca3327c43.txt", "img": "https://archive.orkl.eu/ed885645dad7d4f11e5589f4a326465ca3327c43.jpg" } }