Casepoint, a legal technology platform allegedly hacked by the ALPHV/BlackCat ransomware gang, said it has activated its incident response protocols. Attackers responded by posting additional sensitive data.
The platform is used by the United States Courts, US Security Exchanges Commission (SEC), and the Department of Defense (DoD).
While the company’s decision to “activate security protocols” isn’t an official confirmation of the ALPHV/BlackCat attack, organizations typically don’t kickstart security measures if there’s no risk of system penetration.
“On Tuesday, May 30th, Casepoint activated our incident response protocols and engaged an external forensic firm to help us investigate a potential incident and to serve as an extra set of eyes on the remediation work we’ve already performed to date,” the company told Cybernews.
Casepoint’s spokesman explained that the platform is fully operational, and its clients shouldn’t experience any downtime due to the potential incident. The platform hired outside help to investigate the issue.
“The third-party forensic firm that we have engaged is currently running scans and deploying advanced endpoint detection monitoring tools and will be looking for signs of suspicious activity,” Casepoint said.
Meanwhile, ALPHV/Blackcat updated their dark web blog, posting extremely sensitive data allegedly related to Casepoint’s eDiscovery platform, as well as other sensitive details.
“You don’t have to do forensics to know that we were in your network. Here’s the proof,” the cybercriminals said.
The gang claims it has stolen 2TB of sensitive data, including sensitive information from various lawyers, SEC, DoD, FBI, Police, and other organizations.
Meanwhile, Casepoint boasts many high-profile clients such as the United States Courts, SEC, DoD, the US National Credit Union Administration (NCUA), hotel operator Marriott, German industrial giant ThyssenKrupp, academic medical center Mayo Clinic, railway operator BNSF Railway, and others.
“We are early on in our investigation and are committed to keeping our clients informed as we learn more. We’re on top of it, and we know that transparency and proactivity is key to a good response to these types of matters,” Casepoint’s spokesperson said.
What is ALPHV/BlackCat ransomware?
ALPHV/BlackCat ransomware was first observed in 2021. Like many others in the criminal underworld, the group operates a ransomware-as-a-service (RaaS) business, selling malware subscriptions to criminals.
The gang was noted for its use of the Rust programming language. According to an analysis by Microsoft, threat actors that began deploying it were known to work with other prominent ransomware families such as Conti, LockBit, and REvil.
The FBI believes that money launderers for the ALPHV/BlackCat cartel are linked to Darkside and Blackmatter ransomware cartels, indicating that the group has a well-established network of operatives in the RaaS business.
Lately, ALPHV/BlackCat has been among the most active ransomware gangs. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.
ALPHV/BlackCat seem to be focused on professional service providers recently. Last week, the gang said it breached Mazars Group, an international audit, accounting, and consulting firm.
More from Cybernews:
Subscribe to our newsletter