The BlackCat ransomware criminal group, also known as ALPHV, hacked into Reddit servers earlier this year: a breach that Reddit confirmed in February. It was reported that while the attackers gained access to internal documents and codes, as well as internal dashboards and business systems, there was no evidence that production systems were breached or user accounts accessed. Not a great deal more was heard about the incident. Until now. A posting to the BlackCat leak site reveals that it is demanding $4.5 million and the scrapping of API pricing changes or it will publish 80GB of stolen data.
BlackCat Ransomware Group Exploits Reddit User Anger
Dominic Alvieri, a cybersecurity analyst and security researcher, has tweeted a screenshot from the BlackCat/ALPHV group’s leak site detailing their demands. Leak sites have become something of a default method of raising the stakes and applying pressure on victims of ransomware, specifically those victims whose data has been exfiltrated. According to a Bleeping Computer report the BlackCat actors did not encrypt any devices during this attack, despite being a ransomware group which usually does precisely that. It did, however, steal a lot of data. Precisely what that’s data involved has never been made public, but the BlackCat group is now making claims regarding that.
The June 17 BlackCat posting claims that the criminal group successfully breached Reddit servers on February 5, 2023, to exfiltrate a total of 80GB of zipped data. It is not clear if the 80GB is the compressed or uncompressed size. On April 13, and then again on June 16, the attackers stated, Reddit was contacted by the group. “We stated that we wanted $4.5 million in exchange for the deletion of the data,” it claimed, warning that if the group had to make details of the extortion public it would “demand that they also withdraw their API pricing changes.” And that’s what has now happened, with BlackCat wanting both the ransom and the API changes scrapped.
What’s Behind This New Reddit Threat?
The chances of either of these demands being met is, frankly, zero. Which leaves us to surmise that BlackCat is just making the most of the current media attention on Reddit, with group blackouts to protest against the API pricing. Ransomware actors in general seem to have a desire for publicity and media coverage, unlike most criminals who want to bring as little attention as possible to their activities.
So, if BlackCat does publish the stolen Reddit data, what will it include? We can be pretty sure of what to doesn’t include, and that’s user data such as account details, passwords or payment information. That’s because, from the very start, Reddit made it quite clear that the ‘live’ production systems holding such data were not breached. Instead, BlackCat is teasing such revelations as “all the statistics they track about their users,” and data concerning how Reddit “silently censors users.” I’m not overly convinced Reddit users will care that much about shadowbans and tracking systems, although given the current anger against the owner it might provide more protest ammunition if nothing else.
I have reached out to Reddit asking if it can confirm any of the statements made by the criminal actors regarding ransom requests and the type of data they claim is to be published. I will update this article when I hear back from Reddit.
Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.