ALPHV Ransomware Targets Irish University

Lucas Oliveira
4 min readAug 26, 2023

The notorious ALPHV ransomware group, also known as BlackCat, aims to intensify pressure on their targets for ransom payments by introducing an API for their leak site, thereby amplifying the visibility of their attacks. This strategic move comes on the heels of their recent breach of Estée Lauder, where the beauty company boldly dismissed the threat actor’s attempts to engage in negotiations over the ransom demand.

This move follows the gang’s recent MOVEit data theft attack on Estée Lauder which ended with the beauty company completely ignoring the threat actor’s effort to engage in negotiations for a ransom payment.

Simplify ALPHV ransomware API Calls in Python

Earlier this week, several researchers discovered that the ALPHV/BlackCat data leak site unveiled a new page, offering instructions on utilizing their API to access real-time updates about new victims. APIs, short for Application Programming Interfaces, serve as bridges enabling communication between software components based on predefined definitions and protocols. The malware research group VX-Underground highlighted this fresh addition on ALPHV’s website, but it appears that the “feature” had been accessible, albeit to a smaller audience, for several months.

Within the API calls provided by the ALPHV ransomware, one can obtain various information about the latest victims added to their leak site or receive updates starting from a specific date. The gang elaborated, stating, “Fetch updates since the beginning and synchronize each article with your database. After that, any subsequent updates call should supply the most recent ‘updatedDt’ from previously synchronized articles + 1 millisecond.”

ALPHV ransomware group’s decision to offer an API for their leak site adds a layer of complexity to their tactics, making it essential for cybersecurity professionals to remain vigilant and prepared against such threats. By employing this innovative approach, the ransomware gang seeks to maintain a steady stream of pressure on victims, compelling them to comply with their demands. Moreover, the API’s presence on the leak site serves as a stark reminder of the evolving nature of cyberattacks and the need for organizations to continually bolster their security measures.

Estée Lauder’s defiant response to the threat actor’s ransom demand sets an example for other potential victims, underscoring the importance of refusing to negotiate with cybercriminals. However, it also highlights the urgency for companies to fortify their cybersecurity infrastructure and proactively defend against ransomware attacks.

Fewer Paying Victims

The group also provided a Python-based crawler to retrieve the latest data leak site information. The organization has not explained the API’s release, but the declining number of ransomware victims may be one reason. According to a survey from Coveware, a ransomware incident response business, the percentage of paying victims fell to an unprecedented low of 34% in the second quarter of this year. However, certain threat actors continue to benefit by penetrating the supply chain and accessing many organizations.

It is estimated that the Clop ransomware syndicate earns $75 million from its massive MOVEit data appropriation effort. Clop’s zero-day vulnerability in MOVEit Transfer’s secure file transfer platform may affect hundreds of companies. Estée Lauder was also compromised by ALPHV/BlackCat. The ransomware gang raged against the company’s security systems, blaming the hired experts for the repeated network intrusions.

Ransomware factions constantly innovate to coerce and steal payments. In an ever-changing cyber threat scenario, these malicious entities devise schemes to maximize profits. However, alert defenders constantly foil their schemes, making their success unlikely. The lack of vulnerable people makes ransomware a growing threat, forcing criminals to try new methods. However, potential targets’ resistance and cybersecurity guardians’ efforts make such plots difficult to achieve.

In this elaborate scam, ransomware factions seek effective ways to steal money. They now spread leaks to a wider audience. This bold initiative has several risks, making its outcome unpredictable. The venomous messages of ransomware groups spread rapidly through cyber extortion, highlighting their zeal for profit. If opponents mount a counteroffensive, they may fail to expand.

Ransomware revenue strategies

Ransomware syndicates dance between malicious actors and vigilantes to maximize revenues. Their effort to increase leaks requires accuracy and risk. Ransomware collectives exploit loopholes in cyber warfare, mocking victimized companies’ defenses. Novel methods to coerce and extract ransoms are ceaselessly sought, although their efficacy is unclear.

As ransomware assaults increase, victims are left behind, emboldening these factions’ scorn for targeted organizations’ security responses. Their influence-boosting strategies are uncertain. The vitriolic taunting of ransomware syndicates discloses security flaws in this sophisticated cyberwarfare. They venture into unexplored territory with avaricious goals, but the results are unknown.

This angered the ransomware gang, which mocked the company’s security flaws. Post-breach experts were criticized, with the hacked network proving their ineffectiveness.

Ransomware gangs are looking for new ways to extort money as their victims decline. The ALPHV ransomware group seeks new ways to coerce and steal money when victims pay less. Ransomware companies’ latest extortion tactic is leaking their data, but it looks like it will fail.