Alpha ransomware is an emerging threat that operates a dedicated data leak site (DLS) on the Dark Web, named MYDATA, with six victims listed and ongoing development noted. The operation shows evolving tactics, including ransom notes, a victim login panel for negotiation, use of Tor/onion services, and a TOX-based communication channel, suggesting a learning but active threat actor.
Keypoints
- Alpha ransomware appeared in May 2023 and has launched a Dark Web DLS named MYDATA with six listed victims.
- At the time of reporting, Alpha is not highly prevalent and has limited public samples; SHA1: c2b73063a4a032aede7dfd06391540b3b93f45d8 is noted as the only listed sample.
- Ransom notes evolved over time, with the group using TOX messenger for contact and a personal decryption key delivered via their panel.
- The DLS is accessed through onion/Tor infrastructure, and the group employs Cloudflare Onion Service for security.
- Alpha’s victim panel supports invoices, chat negotiations, info, and a test decrypt feature, indicating a structured negotiation workflow.
- Six victims across UK, US, and Israel span electrical, retail, biochemical, apparel, health, and real estate sectors, signaling multi-industry interest.
MITRE Techniques
- [T1583] Acquire Infrastructure – The Alpha group uses onion domains and a dedicated DLS (MYDATA) with Tor/Onion hosting and security layers. “The Alpha ransomware group titled their DLS ‘MYDATA’.” and access via onion domains.
- [T1567.002] Exfiltration Over Web Service – The launch of a Dedicated/Data Leak Site (DLS) on the Dark Web to publish victim data, e.g., “launch of its Dedicated/Data Leak Site (DLS) on the Dark Web and an initial listing of six victims’ data.”
- [T1090] Proxy – Use of Tor/Onion infrastructure and services to hide operations and host resources; “It’s highly likely the Alpha group used Cloudflare Onion Service to add a layer of security to the hosted Onion domains.”
- [T1486] Data Encrypted for Impact – The core encrypt-and-hold tactic is shown in notes and behavior, e.g., “Your data have been stolen and encrypted.”
Indicators of Compromise
- [Domain] 2 onion domains – mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion, 2id7ik6lkd3jjjjlaarr3wckrxidp3bgl2jn5nhqciouk2ehuyakdiqd.onion
- [Hash] SHA1 – c2b73063a4a032aede7dfd06391540b3b93f45d8
- [Bitcoin Address] – bc1qff2u797mrekxtcnr68p2gqarnjxvy575jug430
- [TOX ID] – 98D120C9033653042E290627914B890A3291013F7377A976A028051C52440C71487D5F14DDA2
Read more: https://netenrich.com/blog/alpha-ransomware-a-deep-dive-into-its-operations