BlackFile Actively Extorting Data-Theft Victims in Retail and Hospitality
A new extortion gang known as BlackFile, linked to the broader criminal network “The Com,” has been targeting retail and hospitality organizations since February 2026, using vishing-to-fake-SSO-phishing chains to steal credentials, exfiltrate SaaS data, and demand seven-figure ransom payments.
ARLINGTON, VIRGINIA — A surge in sophisticated voice-phishing (vishing) attacks has put the retail and hospitality sectors on high alert as a new threat actor, dubbed BlackFile, scales its operations. Unlike traditional ransomware groups that prioritize file encryption, BlackFile focuses almost exclusively on "data-theft-and-extortion." By combining old-school human engineering with modern SaaS API exploitation, the group has successfully breached multiple international brands, threatening to leak sensitive employee records and customer PII unless multi-million dollar ransoms are met.
The group’s tactics signal a aggressive evolution in the "extortion-first" model. Security researchers from Palo Alto Unit 42 and the RH-ISAC (Retail & Hospitality ISAC) note that BlackFile often reverses the traditional pressure cycle — leaking portions of stolen data on the dark web before making initial contact with the victim. This "leak-first" strategy, combined with reported psychological warfare tactics like "swatting" company executives, marks BlackFile as one of the most volatile threats to emerge in the first half of 2026.
Threat Intelligence: BlackFile Extortion Profile
The Vishing-to-SSO Attack Chain
The BlackFile playbook begins with a high-pressure phone call. Attackers spoof VoIP numbers and caller ID names (CNAM) to pose as internal IT helpdesk staff. They target front-line retail or hospitality employees, claiming there is an "urgent security sync" required for their account.
The victim is directed to a pixel-perfect fake corporate Single Sign-On (SSO) login page. When the victim enters their credentials and provides a one-time MFA passcode to the "IT representative," the attackers use that real-time data to register a new rogue device or hijack the session. Once inside the SaaS environment, the group uses automated scripts to scrape internal directories and abuse APIs — such as Microsoft Graph and Salesforce APIs — to identify files containing keywords like "confidential," "SSN," or "Salary."
Psychological Warfare and "The Com" Connection
Analysts have linked BlackFile to a broader, loosely-affiliated criminal network known as “The Com.” This ecosystem is notorious for blending digital crimes with real-world harassment. In several active BlackFile cases, the group has allegedly engaged in "swatting" — calling in false police dispatches to the homes of company executives — to escalate psychological pressure during ransom negotiations.
Communications often arrive via random Gmail addresses or even the compromised inboxes of the company's own employees. By the time a victim organization receives a formal demand, their data has usually already been hosted on a dark web leak site, leaving the company in a reactive "damage control" posture from the moment of discovery.
What to Do Now: Immediate Actions
- Implement "Callback" Protocols: Train staff to never provide credentials or MFA codes over the phone. Enforce a policy where employees must hang up and call the IT department back using a verified internal extension.
- Audit New Device Registrations: Monitor SSO logs for any new device enrollments or MFA method changes that occur immediately following a successful login, especially from unusual IP ranges.
- Harden SaaS API Access: Review and rotate API keys for Microsoft 365 and Salesforce environments. Restrict the ability of standard user accounts to perform bulk data exports via API.
- Executive Security Briefing: Ensure high-level leadership is aware of the "swatting" and direct-harassment risks associated with BlackFile to prepare corporate security and local law enforcement.
The CyberSignal Analysis: Strategic Signals
Signal 01 — The Industrialization of Vishing
BlackFile’s success highlights that technical MFA controls can be rendered useless by a convincing voice. While many organizations have spent millions on "unphishable" hardware keys, BlackFile bypasses this by targeting the humans who manage the keys. In sectors like retail and hospitality, where staff turnover is high, this human attack surface remains the path of least resistance.
Signal 02 — SaaS Data as the New Ransomware
As companies move more "crown jewel" data into SharePoint, OneDrive, and Salesforce, threat actors are following. BlackFile represents the trend of extortion-only groups who realize that stealing a terabyte of PII is often more profitable than maintaining encryption infrastructure. We saw a similar prioritization of data theft over operational disruption in the ADT data breach, where attackers leveraged initial access to exfiltrate millions of records from a trusted security provider.
Signal 03 — The Convergence of Digital and Physical Threat
The use of "swatting" by BlackFile agents marks a dangerous bridge between cybercrime and physical violence. This tactic, previously confined to niche online harassment circles, is now being used as a high-stakes corporate negotiation tool, requiring a coordinated response between CISOs and physical security teams.
