BlackFile Group Intensifies Vishing Attacks on Retail and Hospitality Sectors

What's Happening? Security researchers have identified a new extortion group, BlackFile, which has been targeting retail and hospitality businesses since February 2026. The group, linked to the activity cluster CL-CRI-1116, is known for its financially motivated attacks. Unlike other cybercriminals,

Summarized by AI ⓘ

AI & New Tech

SEE ALL

Trendline

Best Buy Embraces AI and Data to Transform Retail Media Strategy

Rapid Read

Alabama Appoints First Chief Artificial Intelligence Officer to Enhance Government Services

Rapid Read

AI-Powered Cyberattacks Pose Growing Threat to Nonprofits, Experts Warn

What is the story about?

What's Happening?

Security researchers have identified a new extortion group, BlackFile, which has been targeting retail and hospitality businesses since February 2026. The group, linked to the activity cluster CL-CRI-1116, is known for its financially motivated attacks.

Unlike other cybercriminals, BlackFile does not use custom malware but exploits legitimate internal resources and APIs. They employ vishing attacks, impersonating IT helpdesks to steal credentials and one-time passwords. The attackers use spoofed VoIP numbers and fraudulent Caller ID Names to conceal their identities. Once they gain access, they register new devices to bypass multi-factor authentication and maintain persistence. The group focuses on SaaS data discovery and API abuse, exfiltrating data through browsers or API exports. They demand ransom through random Gmail addresses or compromised employee emails, sometimes resorting to SWAT-ing to force payment.

Why It's Important?

The activities of BlackFile highlight the evolving nature of cyber threats, particularly in the retail and hospitality sectors. These industries are vulnerable due to their reliance on digital systems and customer data. The group's tactics, which include bypassing multi-factor authentication and exploiting legitimate resources, underscore the need for robust cybersecurity measures. Businesses must enhance their security protocols, focusing on identity verification and employee training to recognize social engineering tactics. The financial impact of such attacks can be significant, with potential losses from data breaches and ransom payments. Moreover, the reputational damage can affect customer trust and business operations.

What's Next?

Organizations targeted by BlackFile need to strengthen their cybersecurity defenses. This includes implementing stricter security policies, enhancing multi-factor authentication, and conducting regular security awareness training for employees. Companies should also focus on monitoring and securing APIs and internal resources to prevent unauthorized access. As cyber threats continue to evolve, businesses must stay vigilant and proactive in their security strategies to protect against future attacks.