Reddit confirms BlackCat gang pinched some data

Crooks demand $4.5m to keep '80GB' of corp info private – and no API price hikes

Reddit this week confirmed ransomware gang BlackCat, aka AlphaV, broke into its corporate systems in February.

The crew just the other day had bragged it stole 80GB from the biz, and had demanded the social media company pay $4.5 million to keep a lid on the data as well as ditch its controversial API pricing changes.

A spokesperson for Reddit declined to comment on BlackCat's specific boasts, and insisted it's not the result of a fresh intrusion. The theft happened a few months ago, and was the result of a "sophisticated phishing campaign" against its staff that Reddit said it encountered on February 5 and disclosed on February 9. 

At the time, the company said that, as a result of that phishing, miscreants were able to grab "limited Reddit code, limited contact information for a small number of company contacts and employees (current and former), as well as limited advertiser information (no high risk data was accessed such as credit card details, company financial information, account passwords, campaign strategy or performance)."

In short, yes, someone grabbed its corporate data, but user information and accounts weren't touched, or so we're told. Production systems weren't affected, the February announcement declared, and "we have no evidence to suggest that any Reddit information has been published or distributed online."

That may change soon, however, as BlackCat said on Saturday: "We expect to leak the data." 

The BlackCat crooks claimed they stole 80GB of data during the intrusion and emailed Reddit about the break-in twice, once on April 13 and a second time on June 16. "There was no attempt to find out what we took," the ransomware operators said.

"We are very confident that Reddit will not pay any money for their data," the BlackCat post continued, adding that they demanded $4.5 million to delete the stolen data and not make it public, and also want the social media giant to reverse its planned API price hike. 

"I am very happy to know that the public will be able to read all about the statistics they track about their users and all the interesting confidential data we took," the gang added. "Did you know they also silently sensor [censor? – ed.] users? Along with artifacts from their GitHub!"

Reddit's other issues

The blackmail attempt comes as Reddit struggles to put out several other fires, including a backlash over its plan to charge for API access: $0.24 per 1,000 calls.

As we've pointed out in earlier stories about the pricing scheme: this adds up to tens of millions of dollars a year for popular third-party apps, such as Apollo, Reddit is Fun, and Sync, which rely on the API to customize and improve the Reddit experience for forum moderators and netizens. It all seems like an attempt to thoroughly squeeze the pips of these applications, or force their developers to shut down over costs and drive more people to the official Reddit app — something the company would probably like to see ahead of its long-predicted IPO this year.

Reddit CEO Steve Huffman has since said that he's following the Elon Musk playbook, and that the API pricing plan will help the company turn a profit. The makers of next-gen AI models have also been extracting a ton of training data from Reddit, and now Reddit is keen to get a slice of those developers' fortunes by making them pay for API access.

Reddit also announced layoffs earlier this month.

Emsisoft Threat Analyst Brett Callow, who posted a screenshot of BlackCat's demands, said that the ransomware gang "likely do not care about the API pricing."

"Their intention is simply to demonstrate to other victims that they can cause ongoing harm to a business long after an attack, so payment is the least painful option," Callow said.

Callow noted another "non-monetary ransom": specifically, the Lapsus$ demand that Nvidia open source its driver code after the extortion gang stole, and later dumped online, the GPU giant's data in February 2022.

Earlier this year, BlackCat operators breached the security of major Australian law firm HWL Ebsworth, and has since leaked sensitive information including data belonging to the law firm's federal agency clients.

In February, the crew broke into an American health-care provider — Lehigh Valley Health Network (LVHN) — and stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people before posting at least some of that data online.

A cancer patient whose nude medical photos and records were shared has sued LVHN for allowing the "preventable" and "seriously damaging" leak. ®

Send us news

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Microsoft answered Congress' questions on security. Now the White House needs to act

Business as usual needs a real change

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

Ransomware crew may have exploited Windows make-me-admin bug as a zero-day

Symantec suggests Black Basta crew beat Microsoft to the patch

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

Beware of zero-click malware sliding into your DMs

FBI encourages LockBit victims to step right up for free decryption keys

The bad news? Gang wasn't deleting victim data after payments

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful