top of page

Rakesh Krishnan, Netenrich Provides an Inside Look at the Growing Threat of the Alpha Ransomware Group

According to Rakesh Krishnan of Netenrich, a new player has emerged: Alpha ransomware. This distinct group, not to be confused with ALPHV ransomware, has recently stepped into the spotlight by launching its Data Leak Site (DLS) on the Dark Web, complete with an initial roster of six victims.

Background on Alpha Ransomware

First detected in May 2023, Alpha ransomware was initially identified by Rakesh Krishnan, Netenrich through a TOX ID, which has been active since the same period. However, it's important to note that, as of now, Alpha ransomware isn't widespread. Its infection rates trail behind its competitors, and there's a lack of active samples for analysis in the wild. The only identified sample bears the SHA1 hash: c2b73063a4a032aede7dfd06391540b3b93f45d8.

Like many of its counterparts, Alpha ransomware leaves its mark by appending an 8-character alphanumeric extension to encrypted files.

Evolution of the Ransom Note

Alpha's ransom note has undergone notable changes since its inception. Initially, the ransom note lacked sophistication and even omitted the name "Alpha." It simply warned victims against attempting to recover, delete, or modify encrypted files and offered decryption assistance. The note also provided a TOX ID for contact.

Subsequent iterations in June and November 2023 saw further refinements. The group added the name "Alpha Locker" and later, more detailed instructions on using the Tor browser to access their server.

A Closer Look at the Data Leak Site (DLS)

The Alpha group titled their DLS "MYDATA," which might undergo a name change due to its lack of appeal. The site offers a conventional victim communication panel, providing personal decryption keys for logging in. The panel includes various sections: INVOICE, CHAT, INFO, TEST DECRYPT, and LOGOUT. These features facilitate ransom negotiation and provide a platform for testing decryption on sample files.

Interestingly, the Alpha group appears to use Cloudflare's Onion Service for additional security on their hosted Onion domains.

Victimization Across Various Sectors As of this report, the Alpha ransomware group has impacted a diverse range of industries, including electrical, retail, biochemical, apparel, health, and real estate, with victims located in the UK, the US, and Israel.

Threat Actor Profile and Future Prospects

The investigation has revealed key details about the threat actor, including their TOX ID and Bitcoin address. However, the inconsistency in ransom demands suggests a lack of experience. Despite their amateurish approach, the Alpha group shows potential, indicating that they might become more prominent in the cybercrime arena, potentially targeting more victims.

As this situation unfolds, continuous monitoring and analysis will be crucial to understand and counteract the threats posed by this new ransomware variant. Stay tuned for further updates on this emerging cyber threat.


bottom of page