A new extortion group is making its mark on the retail and hospitality sectors, and it does not need a single piece of malware to do serious damage. BlackFile extortion attacks have been hitting organizations since February 2026, using nothing more than a phone call, a fake login page, and a well-rehearsed script to extract millions from victims. Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center published a joint report on April 24 detailing the group’s tactics, and the picture it paints is a sharp warning for any business with a frontline workforce.
Who Is BlackFile?
BlackFile is a financially motivated threat group also tracked under the names CL-CRI-1116, UNC6671, and Cordial Spider. Researchers have linked the group with moderate confidence to “The Com,” a loose network of English-speaking cybercriminals known for extortion, violence, and the recruitment of young people into criminal activity.
What sets BlackFile apart from most extortion groups is its complete avoidance of custom malware. The group operates entirely by abusing legitimate tools and APIs already present inside victim environments, so defenders rarely see the kind of alerts that traditional attacks trigger. The attack is built on deception from start to finish, and that makes it exceptionally difficult to catch early.
How the BlackFile Attack Works
The Call That Starts It All
Every BlackFile intrusion begins with a phone call. Attackers spoof VoIP numbers so that calls appear to come from legitimate internal IT departments. An employee picks up and hears a convincing helpdesk representative on the line, who then directs them to a login page that looks exactly like their company’s single sign-on portal. However, the page captures every credential entered in real time and sends it straight to the attacker.
The attacker relays the stolen one-time passcode immediately, using it to register their own device on the victim’s multi-factor authentication system. Once their device is enrolled, they no longer need to intercept future codes because they are now a trusted part of the authentication chain.
From Helpdesk to Executive Access
After gaining initial access, BlackFile does not stop at one account. Attackers scrape internal employee directories to map out the organization and identify executive-level targets. They then pivot upward through the company using further social engineering, compromising senior accounts and mirroring legitimate session activity to avoid triggering security alerts.
This approach gives them broad, persistent access that looks, to most monitoring tools, like normal business activity. Because the sessions appear legitimate, standard detection rules often miss the intrusion entirely.
Stealing Data Without Triggering Alarms
Once inside, BlackFile focuses on data discovery across SaaS environments. The group abuses Salesforce APIs and SharePoint’s standard download functions to search for files containing terms like “confidential” and “SSN.” Large volumes of data, including CSV files with employee phone numbers and sensitive business reports, then move to attacker-controlled servers under the cover of legitimate SSO-authenticated sessions.
Because the group relies entirely on standard API calls, the activity blends in with normal operations and avoids triggering user-agent alerts that basic security monitoring would catch.
The Extortion Playbook
Leak First, Demand Second
BlackFile’s extortion approach flips the script on conventional ransomware groups. Most ransomware operators encrypt data first and only threaten to leak it if the victim refuses to pay. BlackFile, however, publishes stolen documents to its dark web leak site before sending a ransom demand at all. By the time a victim receives the demand, their data is already public.
The demands themselves arrive through compromised employee email accounts or randomly generated Gmail addresses. That makes them easy to dismiss as spam at first glance, but the situation becomes urgent as soon as the victim finds their own confidential data indexed on a public leak site. Ransoms reach into the seven figures.
Swatting as a Pressure Tactic
BlackFile also extends its pressure tactics beyond the digital space. Some victims and senior executives have faced swatting attacks, where the group makes false emergency calls to law enforcement to send armed police to their physical locations. This adds a layer of real-world intimidation designed to accelerate payment and signal that the threat is not purely abstract.
Why Retail and Hospitality?
These sectors present an attractive combination for groups like BlackFile. Retail and hospitality businesses employ large frontline workforces with high staff turnover, frequent IT helpdesk interactions, and limited security awareness training. Employees are often conditioned to respond quickly to IT requests without questioning them, and that compliance is exactly what BlackFile exploits.
The group also benefits from the fact that standard phishing training does not prepare staff for voice-based attacks. Most employees can spot a suspicious email, but far fewer know how to interrogate an authoritative-sounding caller who claims to be from internal IT support.
How to Defend Against BlackFile Extortion
The RH-ISAC report outlines several concrete defensive measures that organizations should implement without delay.
Call-handling policies need to be clearly defined and consistently enforced. IT helpdesks should never ask employees to visit login pages over the phone or accept credential information during a call. Any request that falls outside that policy should automatically escalate to management rather than being resolved in a single interaction.
Multi-factor identity verification for callers should also be mandatory before any account change, password reset, or device enrollment takes place. Whenever a new MFA device is registered, especially following a helpdesk interaction, that event should trigger an immediate alert for the security team to review.
Salesforce and SharePoint API activity should be monitored for bulk downloads and searches for sensitive terms. Even when sessions appear legitimate, anomalous access patterns should be flagged and investigated promptly.
Most critically, social engineering training needs to include vishing simulations, not just phishing awareness. Employees should practice receiving fraudulent IT calls so that the scenario feels familiar when it happens in reality. Simulation-based training that mirrors the BlackFile scenario specifically gives organizations a measurable way to identify and close gaps before a real attack arrives.
Final Thoughts
BlackFile extortion attacks are a clear reminder that the most dangerous threats do not always look like threats. The group achieves seven-figure payouts by exploiting trust, not technology. And that is precisely what makes it so effective against organizations that have invested heavily in technical defenses. For retail and hospitality businesses especially, the exposure is real and the timeline is active. The group has maintained consistent operations since February, and there is no sign of that slowing. Reviewing call-handling policies, tightening MFA enrollment controls, and running vishing simulations should move to the top of the security agenda now, before an incident report is what finally forces the conversation.
