City

BlackCat ransomware group leaks files stolen from D.C. convention bureau

The BlackCat ransomware group, also known as ALPHV, posted a trove of data stolen from Events D.C., Washington, D.C.'s convention bureau.

By Benjamin Freed

December 19, 2022

The Walter E. Washington Convention Center in Washington, D.C., on April 29, 2020. (Saul Loeb / AFP / Getty Images)

Malicious actors affiliated with the ransomware outfit known alternately as BlackCat and ALPHV published a trove of files last week stolen from Events D.C., the sports and convention authority in Washington.

The release comes about two months after Events D.C. reported that it had been the victim of a cyberattack that possibly compromised its employees’ personal information. Screenshots of the 85 gigabyte cache posted on an ALPHV leak site show a file directory leading to several folders containing information on the agency’s 400-person workforce and operations.

Events D.C. operates several large meeting spaces in the District of Columbia, including the city’s convention center, the D.C. Armory and an arena used by the WNBA’s Washington Mystics, as well as the the soon-to-be-demolished Robert F. Kennedy Stadium. It also owns the Nationals Park baseball stadium.

“We’re evaluating this apparent release of our data,” read an Events D.C. statement released Friday, the Washington Post reported.

In an Oct. 28 statement issued after the breach was detected, the authority said it “moved quickly to curtail the attack,” including hiring a third-party forensics firm and notifying local and federal law enforcement. Events D.C. also said it began offering its workers free credit-monitoring support.

Events D.C. has not officially described the incident as a ransomware attack, but the leak site viewed by StateScoop reads “Refused to pay, there’s all data.”

BlackCat/ALPHV arrived on the ransomware scene in November 2021 and quickly built a reputation as one of the more aggressive groups out there. According to research published early this year by Palo Alto Networks, BlackCat’s tactics are similar to other groups’, though it has innovated somewhat by writing its malware in Rust, a programming language increasingly popular among web application developers. It has been linked to several major ransomware incidents this year, including one against Quito, Ecuador, which forced the South American capital city to suspend several critical government services.

Events D.C. is the second local agency in the U.S. capital in as many years to have its personnel files stolen and leaked by ransomware actors. Last year, actors affiliated with the Babuk malware stole and posted data from the city’s Metropolitan Police Department, affecting dozens of officers.