ALPHA Ransomware launched DLS

NOTE: NOT to be confused with ALPHV Ransomware. This is a developing story and the latest developments will be added to this Research Article.

Ransomware Operators generally launch Data Leak Sites (DLS) much after a series of successful victimizations. Hence, their time of operation cannot be assumed with the launch of DLS. It would be a few months before their DLS Introduction. This also depends upon How effective the Ransomware is in garnering victims at a faster rate.

Representation Image: Alpha Launching DLS | Credit: Self — AI Art

Alpha Ransomware (not to be confused with ALPHV) had recently opened a Data Leak Site (DLS) on Dark Web, listing about 6 Victims data initially.

INTRODUCTION

Not much is known about Alpha Ransomware, which began to target its victims back in May 2023. This came to my attention while checking the TOX ID of the Threat Actor of Alpha Ransomware which has been active since May 2023.

As this Ransomware is NOT prevalent (ATTOW) and the infection rates are lower as compared to its competitors, Alpha Ransomware does not have an active sample (yet to analyze) out in the wild.

The only sample listed is SHA1: c2b73063a4a032aede7dfd06391540b3b93f45d8 (which is not yet recorded anywhere as of now).

Like other ransomwares, Alpha appends a random 8-character alphanumeric extension is appended to the encrypted files such as:-

46140264-Readme.txt
79508AE9-Readme.txt
8C362A73-Readme.txt
E145AA52-Readme.txt
A75BE48B-Readme.txt

ANALYZING THE BEHAVIOR OF THE ALPHA GROUP

Let’s analyze the Ransom Note pattern as an Anchor Point:-

During the initial stages [May 2023], it is notable that the Threat Actors had not maintained a good Ransom Note for its victims. They even forgot/did not decide the name “ALPHA” as their Ransomware Project Name.

This is evident from the following RN:-

Your data have been stolen and encrypted.
Dont try to RECOVER, DELETE or MODIFY any files, this will make it impossible to restore.

We will help you in restoring your system, also decrypt several files for free.

You can contact us only via TOX messenger, download and install Tox client from: https://tox.chat/download.html
Add a friend with our TOX ID.

Our TOX ID: 98D120C9033653042E290627914B890A3291013F7377A976A028051C52440C71487D5F14DDA2

-----------------
Your personal decryption key:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

On their next victim (June 2023), they revised their Ransom Note (RN) as the following:-

Hello from Alpha Locker.
Your data have been stolen and encrypted.
Dont try to RECOVER, DELETE or MODIFY any files, this will make it impossible to restore.

We will help you in restoring your system, also decrypt several files for free.

You can contact us only via TOX messenger, download and install Tox client from: https://tox.chat/download.html
Add a friend with our TOX ID.

Our TOX ID: 98D120C9033653042E290627914B890A3291013F7377A976A028051C52440C71487D5F14DDA2

-----------------
Your personal decryption key:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The Threat Actors were not satisfied with this RN as well, hence they had undergone final revision in November 2023 as the following:-

            -=-=-=- Alpha ransomware -=-=-=-
 
-=- Your data have been stolen and encrypted -=-
-=- You won't be able to decrypt them without our help -=-
-=- Dont try to RECOVER, DELETE or MODIFY any files, this will make it impossible to restore -=-
-=- We will help you in restoring your system, also decrypt several files for free -=-
 
-=- Contact us for price and get decryption software -=-
Note that this server is available via Tor browser only Follow the instructions to open the link:
mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion
1. Type the address "https://www.torproject.org" in your Internet browser. It opens the Tor site.  
2. Press "Download Tor", then press "Download Tor Browser", install and run it.
3. Now you have Tor browser. In the Tor Browser open mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion
4. Copy your personal decryption key and paste it in the window that appears, enter the captcha and click the button submit.
5. Start a chat and follow the further instructions.
 
-----------------
Your personal decryption key:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Upon analyzing the encrypted extension, it is found that the Group had initially used only “random numbers” to append to the infected file.

But in later revisions, it is found that the group has switched to “Alphanumeric 8-Character” extension.

From the above behavior, we can extrapolate the fact that the group is relatively new and is setting up things. This is also evident as their newly launched DLS (Data Leak Site) is unstable and is offline frequently.

EXPLORING DLS

The DLS of Alpha Ransomware Group is titled “MYDATA” which is highly prone to get changed as the name is not catchy (After analyzing the behavior of the Group).

The dark web site can be reached at:

mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion

Alpha Ransomware DLS

Let’s dig deep into each functionality found in the Alpha Panel.

To communicate with the victims, the group uses a conventional approach by providing a Personal Decryption Key, to get into the panel and get in touch with the victims directly for Ransom Negotiation.

The victims would be greeted by this panel to log in to initiate the talks with Alpha Group.

Victim Login Prompt

After logging in, the victims could see several options which are:-

Victim Panel for Communication

NOTE: If you observe closely, you can see the Greek Small Letter “Alpha” on the tab.

From the above screenshot, it is confirmed that Alpha Group had separated each section namely:- INVOICE, CHAT, INFO, TEST DECRYPT, LOGOUT.

This panel also offers to protect the Chat Session by generating a key between the victim and the Threat Actor.

INVOICE: This section includes the amount of ransom for the victim, hence it facilitates the victims to check their assigned ransom amount.
CHAT: For negotiation with the Alpha Group
INFO: Contains the info on “Hows”
TEST DECRYPT: 3 sample files (less than 1MB) could be submitted for decryption test
LOGOUT: To End the session

Info Session in Alpha Panel

It can also be assumed that the Alpha Group had made use of CloudFlare Onion Service which adds a layer of security to the hosted Onion Domains.

While navigating to the leaked/published data by the group, it can be found that the group maintains another TOR Domain exclusively to host the leaked resources.

Leak Prompt

The victims list can be tracked to the following domain:-

2id7ik6lkd3jjjjlaarr3wckrxidp3bgl2jn5nhqciouk2ehuyakdiqd.onion

For each victim, the group had assigned a unique password to access the leaks under the same domain.

VICTIMIZATION

Currently (ATTOW) there are 6 victims listed. There are:-

2 Victims from UK 🇬🇧
3 Victims from US 🇺🇸
1 Victim from Israel 🇮🇱

The affected sectors span around: Electrical, Retail, Biochemical, Apparel, Health, Real Estate.

THREAT ACTOR DETAILS

The following information is obtained in this investigation:-

TOX ID: 98D120C9033653042E290627914B890A3291013F7377A976A028051C52440C71487D5F14DDA2
Bitcoin Address: bc1qff2u797mrekxtcnr68p2gqarnjxvy575jug430
Bitcoin Address: bc1q5d597cxs3gs7fzjtmga460eyad82temtt4rsln
Ransom Demand: 0.2720BTC, 0.1684

CONCLUSION

From the panel and other factors such as ransom demand, it can be deduced that the group is talented but amateurish in this space. In the following days, we can expect more victims and the group becomes more visible, making headlines after collecting more digital footprints.

UPDATE 1: EXPLORING FILE HOSTING

Earlier, the group had made use of dedicated Onion Domains for each listed victim, but they have moved away from this approach and adopted OnionShare Service to host the compromised/leaked data.

Victims listed on OnionShare

NOTE: OnionShare is an open-source tool that allows anyone to share files securely and anonymously, host websites.

While communicating with Alpha Members, it is also found that: To send each message (chat with Alpha), a Captcha verification is enabled to thwart any kind of automation from the visitors.

Captcha Verification for each Message

It is also observed that the hosted contents are in a slow-network. Hence, the download speed will be slower in TOR Network. But Alpha Members also advertises about its high-speed dedicated server which promises faster downloads (via following announcement):-

if you need a fast download. the price is 100 000$ for 1 company data. fix price.
you will get a dedicated server with fast internet connection

This signifies that the group is evolving and is on the testing grounds. Hence, we can expect more activities from Alpha in coming months…

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.