Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom.
First observed in November 2021 and also known as BlackCat and Noberus, ALPHV is the first ransomware family to have been developed using the Rust programming language.
ALPHV, which is believed to have ties with the cybercrime group behind the Darkside/Blackmatter ransomware, has compromised at least 100 organizations to date, based on the list of victims published on their Tor website.
The threat operates under the Ransomware-as-a-Service (RaaS) business model, with affiliates compromising organizations (via stolen credentials or by exploiting unpatched Microsoft Exchange servers) and stealing and encrypting data.
As Malwarebytes notes, ransom negotiations and data leaks are typically coordinated from ALPHV’s dark web site, but it appears that the miscreants took a different approach with at least one of their victims.
After successfully breaching a business in the accommodation industry, the cybercriminals created a dedicated leak website on the surface web, where they posted employee and guest data allegedly stolen from the victim’s systems.
“Bolder still, the site wasn’t on the dark web where it’s impossible to locate and difficult to take down, but hard for many people to reach. Instead, it was on the regular world wide web, where we (and law enforcement) could easily discover things like where it was located and what company was hosting it. It was even indexed by Google,” Malwarebytes says.
The dedicated leak site, which has been taken down, appeared to have been created to make the stolen information easily accessible to employees and guests, thus pressuring the hotelier into paying a ransom.
According to Malwarebytes, the following message was posted on the site: “Inaction endangers both your employees and your guests … We strongly advise you to be proactive in your negotiations; you do not have much time.”
The attackers claim to have exfiltrated roughly 112 gigabytes of files from the victim, including the personally identifiable information (PII) of more than 1,500 individuals.
As Malwarebytes points out, because this was the first time ALPHV’s operators created such a website, it’s yet unclear who exactly was behind it. It is possible that the site was created by an affiliate, that it was created by mistake, or that this was only an experiment.
Based on information on ALPHV’s Tor website, the victim is likely the Oregon-based luxury resort The Allison Inn & Spa. At the moment, the business’ website is down.
Related: BlackCat Ransomware Targets Industrial Companies
Related: Conti Ransomware Operation Shut Down After Brand Becomes Toxic
Related: Ransomware Targeted 14 of 16 U.S. Critical Infrastructure Sectors in 2021