Security Experts:

Connect with us

Hi, what are you looking for?



ALPHV Ransomware Operators Pressure Victim With Dedicated Leak Site

Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom.

Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom.

First observed in November 2021 and also known as BlackCat and Noberus, ALPHV is the first ransomware family to have been developed using the Rust programming language.

ALPHV, which is believed to have ties with the cybercrime group behind the Darkside/Blackmatter ransomware, has compromised at least 100 organizations to date, based on the list of victims published on their Tor website.

The threat operates under the Ransomware-as-a-Service (RaaS) business model, with affiliates compromising organizations (via stolen credentials or by exploiting unpatched Microsoft Exchange servers) and stealing and encrypting data.

As Malwarebytes notes, ransom negotiations and data leaks are typically coordinated from ALPHV’s dark web site, but it appears that the miscreants took a different approach with at least one of their victims.

After successfully breaching a business in the accommodation industry, the cybercriminals created a dedicated leak website on the surface web, where they posted employee and guest data allegedly stolen from the victim’s systems.

“Bolder still, the site wasn’t on the dark web where it’s impossible to locate and difficult to take down, but hard for many people to reach. Instead, it was on the regular world wide web, where we (and law enforcement) could easily discover things like where it was located and what company was hosting it. It was even indexed by Google,” Malwarebytes says.

The dedicated leak site, which has been taken down, appeared to have been created to make the stolen information easily accessible to employees and guests, thus pressuring the hotelier into paying a ransom.

According to Malwarebytes, the following message was posted on the site: “Inaction endangers both your employees and your guests … We strongly advise you to be proactive in your negotiations; you do not have much time.”

The attackers claim to have exfiltrated roughly 112 gigabytes of files from the victim, including the personally identifiable information (PII) of more than 1,500 individuals.

As Malwarebytes points out, because this was the first time ALPHV’s operators created such a website, it’s yet unclear who exactly was behind it. It is possible that the site was created by an affiliate, that it was created by mistake, or that this was only an experiment.

Based on information on ALPHV’s Tor website, the victim is likely the Oregon-based luxury resort The Allison Inn & Spa. At the moment, the business’ website is down.

Related: BlackCat Ransomware Targets Industrial Companies

Related: Conti Ransomware Operation Shut Down After Brand Becomes Toxic

Related: Ransomware Targeted 14 of 16 U.S. Critical Infrastructure Sectors in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.