Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

BlackCat Claims Hit on Reddit, Threatens Sensitive Data Leak

Group Attempts to Insert Itself in Debate Between Reddit Leadership and Volunteers
BlackCat Claims Hit on Reddit, Threatens Sensitive Data Leak
Reddit CEO Steve Huffman at Web Summit 2017 in Lisbon (Source: Flickr/CC)

Ransomware-wielding extortionists love to kick nonpaying victims when they're already down, in the hopes it will drive them to pay a ransom - or at least bolster criminals' notoriety.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

The latest target is Reddit, the self-proclaimed "front page of the internet," which is embroiled in a fierce standoff with the many moderators and developers who volunteer to keep the site filled with content and refine its code. The disagreement centers on CEO Steve Huffman and fellow senior executives' decision to begin charging some third parties for access to the company's API, as the social news aggregation, content rating and discussion site seeks to become profitable on its journey to an initial public offering.

Enter the BlackCat ransomware group, which on Saturday claimed via its data leak site to have stolen 80 gigabytes of data from privately held Reddit on Feb. 5. The Russian-language group, which spun off from Conti, is demanding $4.5 million "in exchange for the deletion of the data and our silence." The criminals claimed to have sent their ransom demands to Reddit on April 13 and again on Friday.

Ransomware experts have long urged victims to never pay a ransom for anything intangible, such as promises to delete stolen data, saying there is no proof criminals have ever honored such a promise.

Reddit, which reports over 500 million monthly global visitors to its more than 100,000 active communities, appears to have no intention of paying. "We are very confident that Reddit will not pay any money for their data," BlackCat said. "But I am very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data we took. Did you know they also silently censor users? Along with artifacts from their GitHub!"

Reddit disclosed the February attack for which BlackCat has claimed credit, saying at the time that a flurry of phishing messages tricked one of its employees into entering their credentials into a look-alike site. As a result, Reddit said, "the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems."

API Changes Anger Volunteers

The ransomware group on Saturday updated its demand, threatening to publish the stolen data unless Reddit pays it a ransom and rolls back pricing changes set to soon come into effect.

BlackCat is trying to insert itself into a controversy that has erupted between Reddit and many of its key volunteers. In April, Reddit announced that while "fair use" access will remain free, "we are introducing premium access for third parties who require additional capabilities, higher usage limits and broader usage rights." Changes set to take effect July 1 will allow third parties to make up to 100 queries per minute with an OAuth client ID or 10 queries per minute without one, which it says applies to 90% of apps that work with Reddit. Otherwise, Reddit will charge $0.24 per 1,000 API calls.

Company officials said the move was necessary in part due to technology giants using Reddit to train large language models they're using to develop artificial intelligence products. New terms and conditions also scheduled to go live July 1 include a prohibition on using Reddit data "to train a machine learning or AI model without the express permission of rightsholders in the applicable user content."

Numerous volunteer moderators and developers for Reddit have denounced the changes, characterizing them as a step too far after years of increasing tensions. Many said the changes would adversely affect some of the thousands of apps the all-volunteer moderators require to do their work and claimed Reddit was prioritizing profit over their needs.

Huffman, aka "Spez," defended the changes in a June 9 "Ask Me Anything" and post. "Reddit needs to be a self-sustaining business, and to do that, we can no longer subsidize commercial entities that require large-scale data use," he said.

Huffman promised exemptions would apply for accessibility tools, as well as some tools used by moderators, including RES, ContextMod and Toolbox, which he said account for about 3% of all moderation activity on Reddit.

Many volunteers responded that the proposed changes remain unfair. In protest, numerous moderators last week temporarily made thousands of Reddit pages go dark, returning "restricted" or "private" error messages when users attempted to access them. Huffman said the company won't negotiate on the pricing changes, and the company appears to be exploring restoring the darkened forums and replacing moderators who won't play ball.

Clearly, Reddit's leadership is trying to find a way to turn a profit without alienating the website's many volunteers. Such moves of course carry risk. Twitter is now worth one-third of the $44 billion its controversial CEO Elon Musk paid for it, demonstrating how easily once-thriving communities can fracture due to untrustworthy leadership.

The ransomware attack by BlackCat and threatened data leak don't change the parameters of the debate raging at Reddit. Criminals' attempt to turn the controversy to their own ends appears likely to have no real impact. Reddit and its users have bigger fish to fry as the company pursues its IPO.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.