Black Cat ransomware group wants $4.5m from Reddit or will leak stolen files

Christopher Boyd

Christopher Boyd

The ramifications of a Reddit breach which occurred back in February are now being felt, with the attackers threatening to leak the stolen data. The February attack, billed as a “sophisticated phishing campaign” by Reddit, involved an attempt to swipe credentials and two-factor authentication tokens.

One employee was tricked into handing over details, and then reported what had happened to Reddit. Its security team locked things down and began investigating.

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertisers.

Reddit advised users that their passwords were safe, and so there was no need to alter login details. There were also “no signs” that the breach impacted “the parts of our stack that run Reddit and store the majority of our data, or any of your non-public data”. At the time, Reddit received praise for the clarity of the messaging. “This happened, that didn’t, your login is fine” is somewhat unusual in these situations and messaging is often confusing or even simply absent for far too long.

It seems we’re finally about to find out how on the money Reddit’s assessment of the situation was. Bleeping Computer reports that the Black Cat ransomware group is claiming responsibility for the attack. Worse, its threatening to drop roughly 80GB of data online after supposed attempts to claim a ransom of $4.5m were ignored.

Here’s what Black Cat—also known as ALPHV—has to say about this one:

…I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took. Did you know they also silently censor users?

Bold claims indeed, but nobody will know for sure how much of the claims is true or simply bluster until and unless the files are leaked. Interestingly, Black Cat is also demanding that Reddit alters its controversial API pricing changes.

Bleeping Computer notes that nothing was encrypted in this attack; it appears that this was “just” about grabbing as much data as possible and using it to extort money from the victim. A double threat ransomware attack without the ransomware, if you will. Even so, this still presents a major headache for Reddit even without having to worry about encrypted devices.

At this point, nobody knows what exactly may leak when the data drop comes (if it ever does). There is no suggestion from the Black Cat group that passwords were grabbed, so that’s one plus point for Reddit users. As for the rest of it, this seems like a mess for the Reddit CEO and team to deal with.

Black Cat is definitely one of the more prominent ransomware players in recent times, with a string of high-impact and notable attacks. Lehigh Valley Health network in Pennsylvania was hit hard in February of this year, with an understandable furore over photos of breast cancer patients. Elsewhere, the dedicated leak site continues to play to its strengths as we can see with the current Reddit story. As you can see from our June Ransomware review, Black Cat is always close to the top of the pile where infections are concerned. Time may be running out for Reddit as far as the above breach goes, but with a little bit of pre-planning your organisation doesn’t have to meet the same fate.