A new ransomware group called Alpha has recently emerged with the launch of its Dedicated/Data Leak Site (DLS) on the Dark Web, featuring an initial listing of data from six victims.
Despite its recent appearance, Alpha ransomware (distinct from ALPH) has been observed since May 2023, with a lower infection rate compared to its competitors and no active samples currently in the wild for analysis.
According to an advisory published by Netenrich security researchers on Monday, the ransomware appends a random 8-character alphanumeric extension to encrypted files, evolving from using “random numbers” initially to an “alphanumeric 8-character” extension in later revisions. Analyzing the ransom note pattern reveals the group’s iterative process in refining their messages to victims over time.
Alpha ransomware’s DLS, titled “MYDATA,” is considered unstable and frequently offline, indicating the group is still in the process of setting up operations. The DLS includes a victim login prompt with various functionalities such as INVOICE, CHAT, INFO, TEST DECRYPT and LOGOUT.
“As a tactic, DLSs are here to stay,” explained Netenrich senior threat analyst Rakesh Krishnan in the advisory. “Because companies are required to disclose ‘material’ data breaches to the SEC, employees and clients, ransomware groups believe their victims will be more inclined to pay ransoms to avoid potential reputational damage or other breach-related costs.”
Read more on DLSs: Understanding the Growing Professionalism of Cyber-Criminals
The victims, spanning diverse industry sectors like electrical, retail, biochemical, apparel, health and real estate, are from the UK, the US and Israel. The ransomware group’s Bitcoin address and demand, TOX ID, and other details have been uncovered during an investigation.
According to Krishnan, the Alpha group’s ransom demand lacks consistency, suggesting a combination of talent and amateurism in the ransomware space.
“In the coming days, I’d expect more victims as the group becomes more visible, making headlines after collecting more digital footprints,” the security expert wrote. “Continued monitoring and analysis will be essential to better understand and mitigate the threat posed by this emerging ransomware variant.”