Emerging ransomware group ALP-001 has claimed responsibility for attacks on two high-profile European targets: Spanish commercial entity lacor.es and Polish media giant Polsat (polsat.pl). The group claims to have exfiltrated 182.71 GB from Lacor and 75.71 GB from Polsat, with a ransom deadline of April 8, 2026 set against Lacor. Neither organization has publicly confirmed the breaches at time of writing. This follows ALP-001's previously covered $65M demand against Terix, establishing a clear pattern of escalating European operations.
What Happened
ALP-001 has publicly claimed two separate but operationally linked attacks targeting organizations in Spain and Poland. In the first, the group claims to have breached lacor.es — a Spanish commercial website — extracting approximately 182.71 GB of data and claiming roughly $9 million in revenue generated from the operation, whether through ransom payment or underground data sales. A hard deadline of April 8, 2026 has been imposed, with the implicit threat of public data release on non-compliance.
In the second incident, ALP-001 claims to have breached Polsat, one of Poland's largest commercial broadcasters and content producers with reported annual revenues of approximately $148.5 million. The group claims 75.71 GB of data was exfiltrated. The dual-country operation — announced publicly via social media and underground channels — is consistent with ALP-001's emerging playbook: high-visibility announcements designed to maximize reputational damage and accelerate victim capitulation.
This marks ALP-001's third publicly claimed major European incident in rapid succession, following the Terix attack. The group is demonstrating operational tempo and geographic reach that place it firmly in the tier of organized ransomware operations rather than opportunistic actors.
What Was Taken
Lacor.es (Spain): - Approximately 182.71 GB of exfiltrated data - Specific data types unconfirmed; likely includes customer records, financial data, and internal business documentation given the volume
Polsat (Poland): - Approximately 75.71 GB of exfiltrated data - Given Polsat's profile as a major media producer, data likely includes production assets, employee records, internal communications, contractual information, and potentially broadcast infrastructure details
Neither victim has confirmed or detailed the specific content of stolen data. The $9M revenue claim against Lacor suggests either a paid ransom or active monetization of the data on underground markets — both scenarios imply the data is already in circulation or under active criminal exploitation.
Why It Matters
ALP-001 is moving fast. Three claimed major European victims in a short window — Terix, Lacor, Polsat — spanning manufacturing, commercial, and media sectors across at least three countries. The group is not targeting a single vertical or geography; it is stress-testing the European attack surface broadly. Polsat is a particularly notable target: media organizations hold sensitive broadcast infrastructure data, talent and employee records, and contractual information with production partners. A breach at that level has potential implications beyond the organization itself — supply chain partners, production houses, advertisers, and broadcast infrastructure vendors all carry exposure. The April 8 deadline against Lacor is imminent and creates a near-term data release event that defenders and partners of that organization must treat as probable.
The Attack Technique
Technical intrusion details have not been publicly disclosed by either the victims or ALP-001. Based on observed patterns across this group's claimed incidents:
- Initial access is likely via phishing, exposed remote services (VPN, RDP), or exploitation of unpatched public-facing infrastructure
- Data exfiltration prior to encryption — the double-extortion model — is confirmed by the volume of data claimed and the public deadline pressure tactic
- Public announcement via social platforms is used deliberately to amplify pressure and damage organizational reputation before ransom deadlines expire
The operational consistency across Terix, Lacor, and Polsat suggests a structured playbook rather than improvised attacks.
What Organizations Should Do
- Treat the April 8 deadline as a data release event — Organizations with partnerships or data-sharing relationships with Lacor should assume potential exposure and begin breach notification planning now.
- Audit exposed remote access services immediately — VPN concentrators, RDP endpoints, and public-facing web applications are the most common ALP-001 entry vectors based on group patterns; verify patch status and access logs.
- Implement exfiltration detection — Volume-based data movement alerts would have surfaced a 182 GB or 75 GB outbound transfer; if you don't have DLP or NetFlow anomaly detection, prioritize it.
- Check underground forums for your data — Proactive dark web monitoring for organizational data is now standard practice for any European organization above a threshold size.
- Establish a ransomware response runbook — ALP-001 sets hard deadlines; organizations that have not pre-negotiated incident response retainers or established internal decision frameworks will lose time they don't have when targeted.
- Media and broadcast sector: treat production infrastructure as critical — Broadcast systems, playout servers, and production networks are increasingly targeted; segment them from corporate IT and apply the same security posture as operational technology environments.