BlackFile actively extorting data-theft victims in retail and hospitality sector

BlackFile (also tracked as Cordial Spider/UNC6671) is conducting an ongoing, multi-industry extortion campaign that uses voice-phishing and social-engineering to impersonate IT support, harvest credentials via phishing/SSO pages, escalate into privileged accounts, exfiltrate data from SaaS, Microsoft Graph, Salesforce, SharePoint and internal repositories, and pressure victims with seven-figure ransom demands and a public data-leak site; RH‑ISAC and Unit 42 recommend stronger caller identity verification and limiting IT support actions without escalation.