Some attackers, which researchers link to The Com, have swatted company executives to increase leverage and pressure victims to pay their ransom demands.

BlackFile, a cyber extortion group believed to be linked to the underground collective known as The Com, is continuing to target organizations through sophisticated voice-phishing and social engineering attacks. The campaign has impacted multiple industries, including healthcare, technology, transportation, logistics, wholesale, retail, and hospitality, with attackers impersonating IT support personnel to gain access to corporate systems.

The group has been particularly active in the retail and hospitality sectors since February, leveraging voice-based deception tactics to manipulate employees into revealing credentials or granting unauthorized access. By posing as trusted internal IT staff, attackers exploit human vulnerabilities rather than technical weaknesses, making these attacks especially difficult to detect and prevent.

BlackFile’s operations are financially motivated, with the primary objective of extorting large ransom payments from victims. According to Matt Brady, senior principal researcher at Unit 42, the group pressures organizations into paying demands that often reach seven-figure sums. This aggressive monetization strategy highlights the increasing sophistication and confidence of modern cybercriminal groups.

Once initial access is gained, the attackers move quickly to escalate privileges by targeting high-level accounts. They often harvest internal employee directories to identify key personnel, including executives, and then use additional social engineering techniques to compromise these accounts. This approach allows them to establish persistent access that closely mimics legitimate executive activity, making detection more challenging.

The group’s reach extends deep into enterprise environments, including SaaS platforms and critical business systems. BlackFile has been observed accessing resources such as Microsoft Graph APIs, Salesforce integrations, internal repositories, and SharePoint environments. Through this access, attackers can extract sensitive corporate data, employee information, and business records to use as leverage in extortion attempts.

In some cases, the group has escalated its tactics beyond digital threats. Reports indicate that attackers have resorted to swatting – making false emergency calls targeting company personnel, including executives – to increase pressure on victims and accelerate ransom negotiations. This blend of cyber and real-world intimidation underscores the evolving nature of extortion campaigns.

To further amplify their operations, BlackFile has established a data-leak site where stolen information is published if organizations refuse to comply with ransom demands. This tactic adds reputational risk to the already significant financial and operational impact of an attack, forcing companies to weigh the consequences of non-payment.

The campaign remains active and opportunistic, with attackers targeting organizations across sectors without a fixed pattern. Their ability to combine voice phishing, credential theft, and deep system access demonstrates a high level of coordination and adaptability.

As these attacks continue to evolve, organizations are being urged to strengthen identity verification processes, particularly for IT support interactions. Limiting the scope of actions that can be performed during a single support call and enforcing strict escalation protocols are becoming essential measures in defending against such threats.

BlackFile’s ongoing campaign highlights a growing trend in cybercrime where social engineering and identity-based attacks are becoming as critical as traditional malware-based threats. With attackers increasingly exploiting trust and communication channels, businesses must rethink their security strategies to address both human and technological vulnerabilities.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading