The ALP-001 ransomware group has claimed attacks on two high-profile European organizations: Kyocera Document Solutions Europe (UK) and Polsat, Poland's largest independent television broadcaster. Combined, the group claims to have exfiltrated approximately 150GB of data — 75GB from Kyocera and 75.71GB from Polsat. Neither organization has publicly confirmed the full scope of the breach. The attacks follow a pattern of ALP-001 targeting enterprises and high-visibility organizations across Europe with double-extortion tactics.

What Happened

Kyocera Document Solutions Europe — the UK-based European arm of Kyocera's office products and document solutions division — was hit by ALP-001, with the group claiming to have compromised core operational systems and exfiltrated 75GB of internal data. Kyocera has not publicly disclosed the financial impact or confirmed the specific systems affected.

Polsat — Poland's first and largest independent commercial TV station, with approximately $148.5 million in annual revenue — was struck in a separate but contemporaneous attack. ALP-001 claims 75.71GB of data exfiltrated from Polsat's systems. The timing of both attacks in close succession suggests ALP-001 is running parallel campaigns against multiple European targets, likely with pre-positioned access in both environments.

ALP-001 posted both victims to their dark web leak site. No ransom payment confirmation or denial has been made public by either organization.

What Was Taken

Kyocera Document Solutions Europe (75GB claimed): - Corporate documents and internal communications - Customer information — scope unconfirmed - Operational system data - Exact data classification not publicly disclosed

Polsat (75.71GB claimed): - Content distribution data — potentially including unpublished or licensed media - Advertising contracts and commercial agreements - Subscriber and partner data — scope unconfirmed - Internal operational and financial records

Neither organization has independently verified ALP-001's claims or published a detailed breach inventory. The media sector data stolen from Polsat carries particular commercial sensitivity — unreleased content, advertiser contracts, and rights agreements represent direct competitive and financial exposure beyond standard PII concerns.

Why It Matters

Two things stand out about this campaign.

First, ALP-001 is accelerating. In the same period, the group also claimed a $65M ransom demand against Terix and attacked a US news network — demonstrating the capacity to run simultaneous, multi-continent operations against diverse industry sectors. This is not a small criminal operation taking targets of opportunity; it is a structured ransomware-as-a-business running coordinated campaigns.

Second, the targeting logic is deliberate. Kyocera and Polsat are not random victims. Kyocera is a globally recognized enterprise technology brand with European operations — a reputationally sensitive target where operational disruption and data exposure create maximum negotiating pressure. Polsat is Poland's most prominent broadcaster, with public visibility that amplifies the reputational damage of a leak. ALP-001 selects victims where the combination of data sensitivity and public profile maximizes leverage.

For defenders, the critical takeaway is sector coverage: enterprise technology vendors, media companies, and broadcasters are now firmly in scope for sophisticated ransomware groups. The assumption that "we're not a bank or hospital" provides any protection is operationally wrong.

The Attack Technique

ALP-001's documented operational pattern:

The specific initial access vectors for the Kyocera and Polsat attacks have not been confirmed. The volume and precision of exfiltration — 75GB per target — suggests extended dwell time and deliberate data selection rather than bulk collection.

What Organizations Should Do

  1. Patch internet-facing infrastructure on an emergency cycle. VPN appliances, RDP gateways, and web-facing applications are ALP-001's documented entry points. Treat unpatched internet-facing systems as active incidents — not scheduled maintenance items. Subscribe to vendor security advisories and patch within 24-48 hours of critical CVE disclosure.

  2. Audit and restrict RDP exposure. RDP should never be exposed directly to the internet. Where remote access is required, enforce VPN with MFA as a prerequisite. Audit firewall rules for any direct RDP exposure and close it immediately.

  3. Implement exfiltration detection before ransomware detection. By the time ransomware deploys, the data is already gone. DLP controls, anomalous outbound transfer alerts, and egress monitoring catch ALP-001's exfiltration phase — which is the only window where you can prevent the leverage from being established.

  4. Protect media and content assets with the same rigor as financial data. For broadcasters and media companies, unreleased content, rights agreements, and advertising contracts are crown jewels. Access controls, DRM, and content repository segmentation should reflect their commercial and competitive sensitivity.

  5. Maintain offline, immutable, tested backups. ALP-001 encrypts after exfiltrating. Offline backups don't eliminate the extortion leverage from stolen data, but they do eliminate the operational paralysis from encryption — which removes one of the two pressure points the group applies.

  6. Conduct threat hunting for ALP-001 TTPs proactively. Given the group's active European campaign cadence, organizations in enterprise technology and media should run targeted threat hunts for ALP-001 indicators of compromise. CISA, ENISA, and CERT.PL publish IOC feeds that should be ingested and acted on.

Sources