SECURITY researchers have revealed details of a new extortion group that has been actively targeting retail and hospitality businesses since February 2026. According to Palo Alto Networks’ Unit 42 teamed up with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) to publish a new report on April 23, Extortion in the Enterprise: Defending Against BlackFile Attacks, which ties financially-motivated activity to the CL-CRI-1116 cluster and links it to BlackFile, UNC6671 and Cordial Spider.
BlackFile typically targets victims through vishing attacks impersonating the IT helpdesk, using spoofed VoIP numbers or fraudulent Caller ID Names to steal credentials and one-time passwords. The report notes they exploit APIs and other legitimate internal resources rather than relying on custom malware, and after gaining access they register new devices to bypass MFA and move laterally to high-privileged accounts, scraping directories to obtain executive contacts.
Once inside, they focus on SaaS data discovery, API abuse and scraping SharePoint and Salesforce to exfiltrate data directly through the browser or via API exports, often under legitimate SSO-authenticated sessions to avoid alerts, with victims frequently facing seven-figure extortion demands and the possibility of SWAT-ing.