Full Report
Some attackers, which researchers link to The Com, have swatted company executives to increase leverage and pressure victims to pay their ransom demands. The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.
Analysis Summary
# Incident Report: BlackFile Data Theft and Extortion Campaign
## Executive Summary
The threat group known as BlackFile (also tracked as Cordial Spider or UNC6671) is conducting an ongoing data-theft and extortion campaign primarily targeting the retail and hospitality sectors. The attackers utilize sophisticated voice-phishing (vishing) and social engineering to impersonate IT support, harvest credentials, and exfiltrate sensitive data. To increase pressure for seven-figure ransom payments, the group has engaged in extreme "swatting" tactics against company executives.
## Incident Details
- **Discovery Date:** February 2026 (Active surge identified by Unit 42)
- **Incident Date:** Ongoing (Campaign activity traced back to at least October 2025)
- **Affected Organization:** Multiple undisclosed organizations
- **Sector:** Retail, Hospitality, Healthcare, Technology, Transportation, and Logistics
- **Geography:** International / Not specified
## Timeline of Events
### Initial Access
- **Date/Time:** Traced back to October 2025; persistent activity since February 2026.
- **Vector:** Social Engineering / Voice-Phishing (Vishing).
- **Details:** Attackers call employees pretending to be IT support and direct them to fraudulent phishing pages that mimic corporate Single Sign-On (SSO) login portals.
### Lateral Movement
- **Details:** After harvesting credentials, attackers move into privileged accounts and scrape internal employee directories to identify high-value targets, such as executives.
### Data Exfiltration/Impact
- **Details:** Attackers target SaaS environments, Microsoft Graph API, Salesforce, SharePoint sites, and internal repositories. They exfiltrate employee phone numbers, business records, and sensitive corporate data.
### Detection & Response
- **Discovery:** Identified through threat intelligence monitoring by Palo Alto Networks Unit 42 and CrowdStrike.
- **Response Actions:** RH-ISAC published indicators of compromise (IOCs) and defensive guidance in April 2026.
## Attack Methodology
- **Initial Access:** Voice-phishing (vishing) and impersonation of IT help desks.
- **Persistence:** Compromising senior/executive accounts to mirror legitimate session activity.
- **Privilege Escalation:** Social engineering of administrative or executive users.
- **Defense Evasion:** Use of legitimate-looking SSO phishing pages and mimicking executive session behavior.
- **Credential Access:** Phishing sites designed to capture corporate SSO credentials.
- **Discovery:** Scraping internal employee directories and contact lists.
- **Lateral Movement:** Utilizing compromised credentials to access various SaaS and cloud platforms.
- **Collection:** Gathering data from SharePoint, Salesforce, and Microsoft Graph API.
- **Exfiltration:** Transferring data to attacker-controlled infrastructure; use of a dedicated data-leak site.
- **Impact:** Financial extortion (demands in the seven-figure range), swatting of personnel, and public data leaks.
## Impact Assessment
- **Financial:** Ransom demands typically exceed $1,000,000.
- **Data Breach:** Compromise of internal business records, employee PII, and repository data.
- **Operational:** Disruption due to law enforcement response to swatting incidents and compromised IT services.
- **Reputational:** High risk due to the group's active data-leak site and public harassment of executives.
## Indicators of Compromise
- **Network indicators:** Phishing domains mimicking corporate SSO (e.g., [company]-sso[.]com).
- **File indicators:** Not specified in the report (primary focus on service-based theft).
- **Behavioral indicators:** Unusual logins from remote locations to SaaS platforms; unexpected IT support calls requesting SSO authentication.
## Response Actions
- **Containment:** RH-ISAC and Unit 42 have released IOCs for blocking.
- **Eradication:** Organizations are encouraged to rotate credentials and audit API permissions (Graph API/Salesforce).
- **Recovery:** Restoring integrity of compromised SaaS environments and internal directories.
## Lessons Learned
- **Vulnerability of Voice:** Traditional MFA can be bypassed or social-engineered via convincing voice-phishing.
- **Executive Targeting:** Attackers are increasingly using "swatting" as a psychological lever to bypass standard incident response protocols.
- **SaaS Risks:** Broad API permissions (like Microsoft Graph) provide attackers with a massive blast radius once a single account is compromised.
## Recommendations
- **Identity Verification:** Implement multi-factor identity verification for all internal IT support calls.
- **Least Privilege:** Restrict the actions an IT support representative can take in a single call without secondary management approval.
- **Monitoring:** Enable enhanced logging for Microsoft Graph API and Salesforce access to detect bulk data scraping.
- **Executive Protection:** Brief executives on the risk of swatting and coordinate with local law enforcement to flag high-risk addresses.