Listen to this Post
Introduction
A dangerous cybercriminal group known as BlackFile is intensifying attacks against businesses in the retail and hospitality sectors, using deception, stolen credentials, and aggressive extortion tactics. Security researchers say the gang is actively impersonating IT support staff, tricking employees over the phone, and gaining access to sensitive corporate systems. Once inside, the attackers steal valuable data and demand large ransom payments, often reaching seven figures.
The campaign reflects a growing shift in cybercrime. Instead of relying only on malware, attackers are increasingly using psychological manipulation and human trust as their main weapon. For companies handling customer records, employee data, payment systems, and operational platforms, the risk is serious and immediate.
BlackFile’s Current Attack Campaign
Researchers from Unit 42 warned that BlackFile has been actively targeting retail and hospitality organizations since February. The group has also been linked to attacks across healthcare, logistics, wholesale, transportation, and technology industries.
The threat actors are known by multiple tracking names including CL-CRI-1116, UNC6671, and Cordial Spider. Investigators believe they may be connected to the broader cybercriminal ecosystem known as The Com, a loose network tied to social engineering and online fraud.
According to security analysts, BlackFile appears to choose victims opportunistically rather than focusing on one specific company. This means any organization with weak defenses or vulnerable staff could become a target.
Their main goal is simple: gain access to internal systems, steal sensitive data, and pressure victims into paying massive ransom demands.
How the Attack Works
BlackFile uses voice-phishing, also called vishing, as one of its main entry methods. Attackers call employees while pretending to be internal IT support staff or external technical vendors.
They create urgency, confusion, or authority during these calls, convincing workers to share credentials or approve suspicious login requests.
The group also uses fake login pages designed to look like legitimate corporate single sign-on portals. Employees who enter usernames and passwords unknowingly hand access directly to the criminals.
Once inside, attackers move quickly through privileged accounts and executive accounts.
Researchers say the gang often studies internal employee directories first. This allows them to identify senior leadership, department heads, and decision-makers.
By compromising executive accounts, BlackFile can operate inside systems while appearing legitimate, making detection harder.
Data Theft Across Cloud Platforms
The stolen access is then used to extract valuable information from multiple environments.
Researchers observed BlackFile targeting:
SaaS environments
Microsoft Graph API permissions
Salesforce API access
Internal repositories
SharePoint systems
Employee phone directories
Business records
Sensitive datasets
This demonstrates how modern extortion groups no longer need to deploy ransomware encryption in every case. Sometimes stealing the data alone is enough to force payment.
If customer information, contracts, payroll files, or executive communications are exposed, the reputational and financial damage can be severe.
Swatting and Psychological Pressure
One of the most alarming tactics connected to the group is swatting.
Researchers say attackers have targeted company personnel, including executives, with false emergency reports designed to trigger armed police responses.
This tactic adds fear and pressure during ransom negotiations.
Instead of relying only on technical compromise, BlackFile appears willing to use real-world harassment to intimidate victims.
That marks a disturbing evolution in extortion campaigns.
Why Retail and Hospitality Are Prime Targets
Retailers and hospitality companies often manage:
Large customer databases
Loyalty program accounts
Payment information
Reservation systems
Distributed workforces
High employee turnover
Multiple third-party vendors
These factors can create identity security gaps.
Busy environments with many temporary workers or outsourced help desks may be more vulnerable to voice scams and rushed authentication mistakes.
Attackers know this and are exploiting it.
What Undercode Say:
BlackFile represents a modern criminal business model where human manipulation is more valuable than malicious code.
Traditional cybersecurity strategies often focus heavily on firewalls, antivirus tools, and malware detection. Those controls remain important, but they are less effective when an employee willingly grants access to an attacker pretending to be support staff.
This case proves identity is now the new perimeter.
The use of fake IT support calls is especially effective because workers are trained to trust internal assistance teams. Attackers abuse that trust with confidence, urgency, and believable scripts.
Another key concern is cloud sprawl.
Many companies use Microsoft 365, Salesforce, SharePoint, and other SaaS tools. Once attackers compromise one identity with broad permissions, they may access multiple systems without needing advanced exploits.
That means a single successful phone scam can unlock an entire enterprise environment.
The mention of swatting is also significant.
Cybercrime used to remain digital. Now some groups are blending online attacks with physical intimidation. That raises legal, safety, and executive protection concerns far beyond normal ransomware playbooks.
Retail and hospitality should treat this as a board-level issue.
Frontline staff, call centers, HR teams, and executive assistants all need awareness training because they may become the first line of defense.
Companies should also redesign help-desk procedures.
No password resets, MFA changes, or privilege escalations should happen through one simple phone call without layered verification.
Security teams must monitor unusual OAuth permissions, API token creation, mailbox access, and executive account anomalies.
The organizations that respond fastest to identity abuse will be in the best position to stop these campaigns.
BlackFile may be one group today, but many others will likely copy the same methods tomorrow.
Fact Checker Results
✅ BlackFile has been reported as targeting retail and hospitality organizations through voice-phishing campaigns.
✅ Researchers linked the group to credential theft, executive account compromise, and data extortion.
❌ There is no public confirmation yet of the total number of victims or exact ransom payments made.
Prediction
🔮 Voice-phishing attacks against enterprises will continue rising because they bypass many traditional defenses.
🔮 More extortion groups will focus on cloud identities instead of deploying classic ransomware encryptors.
🔮 Companies that fail to secure help-desk workflows and executive accounts will face increasing risk in 2026.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberscoop.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
