ALP-001
RansomwareALP-001 is a financially motivated ransomware group that emerged publicly around March 2026, though its activities as an Initial Access Broker (IAB) have been traced back to at least March 2023. The group transitioned from solely selling initial network access to a broader extortion model by launching its own Tor-based data leak site. This evolution indicates a strategic shift towards directly extorting compromised organizations, distinguishing them from traditional IABs who typically just sell access. While they possess verified credibility for selling access, their operational maturity regarding actual data exfiltration and ransomware deployment is assessed with moderate confidence to be low-to-moderate, with some leaked data observed to originate from misconfigured or publicly available services. The group also reportedly cycles through accounts and aliases when its credibility is challenged, which can lead to potential confusion with other threat actors or activities.
United Arab Emirates
Argentina
Austria
Belgium
Brazil
Canada
Switzerland
China
Cuba
Czech Republic
Germany
Spain
France
United Kingdom
Hungary
Israel
India
Italy
Japan
Korea, Republic of
Morocco
Mexico
Netherlands
New Zealand
Poland
Slovakia
Ukraine
United States