{
	"id": "352d1ec4-7107-4404-82cb-698796ae9100",
	"created_at": "2026-04-09T02:23:12.807203Z",
	"updated_at": "2026-04-10T13:11:59.15637Z",
	"deleted_at": null,
	"sha1_hash": "c267080d9a999024efcf6e8080055569dd842f42",
	"title": "Another small firm suffers a serious ransomware attack: Cadre Services gets mauled by AlphV - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463187,
	"plain_text": "Another small firm suffers a serious ransomware attack: Cadre\r\nServices gets mauled by AlphV - DataBreaches.Net\r\nPublished: 2023-10-19 · Archived: 2026-04-09 02:13:14 UTC\r\nThere are some data leaks that make you shake your head and wonder about how a firm responded to a\r\nransomware attack. This is one of them. \r\nCadre Services (previously known as Premier Staffing) is a Wisconsin-based company providing employment\r\nand staffing services for office professionals.  They have been in business since 1994.\r\nIn a listing on AlphV’s site, the threat actors claim that they acquired 100 GB of files including:\r\n– job seekers data (contacts, cv’s, id’s, drug screens, etc)\r\n– employees data (contracts, ssn, id’s, drug screens, contacts, payments, etc)\r\n– top management data (contracts, ssn, id’s, drug screens, contacts, payments, etc)\r\n– financial data (payments, transfers, etc)\r\n– ADB Ultrastaff data (all personal files used within this soft)\r\n– Smartsearch data (all I-9 records which could be find within this software files)\r\n– collection of pornography we have found at CFO Vincent Salvia PC which were hidden within HR\r\nfiles\r\nAlphV then leaked what they describe as the first part of the data dump because:\r\nUnfortunately for ordinary people the top management of Cadre Services offered only $35,000 to\r\nprotect their data. This sum is unacceptable. Since all the time needed for their bosses to make a\r\ndecision were given and all the evidences were provided, Cadre Services decided to stop at price they\r\nhave already offered, you can find all the data stolen from Cadre Services for free download now.\r\nIn support of that claim, DataBreaches was provided with screenshots of the negotiations between Cadre and the\r\nAlphV affiliate.  From the screenshots, it appears they first contacted Cadre on or about September 19 and\r\nsomeone from the firm first responded on September 22.\r\nEarly interactions did not go well as the firm’s negotiator did not seem to really grasp that the affiliate had done\r\ntheir homework researching the firm and could see what the employees were doing — including emails to each\r\nother about how to communicate to clients about the breach.  The following is a snippet from an early interaction\r\nafter the negotiator insisted the firm could not afford to pay $300,000. [Note: DataBreaches has no idea if there\r\nreally was pornography in the files of the CFO and some of the CFO’s files have been locked in the data leak.]\r\nhttps://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/\r\nPage 1 of 4\n\nThe affiliate responded sharply to the negotiator’s response:\r\n“You dont have to play this games with us. We know your network – VINCE21-HP is the name for the\r\nVincent Salvia’s PC and 10.0.0.41 is an internal IP of his PC. The profile of Mr.Salvia titled with CFO\r\nof Cadre Services status at Linkedin, Zoominfo, Crunchbase, and even your own Organisational Chart.\r\nSo once again, if you will continue to play your games with us will will rise our demands.”\r\nThe firm’s negotiator, who would later identify himself as the IT manager, “Jason,” continued to insist that the\r\ncompany could not afford $300,000 and said the bosses were offering $25,000.00.  The affiliate responded by\r\npointing out that they could access the bank account and see that there was $190,000.00 in it.\r\nCadre’s subsequent attempts to negotiate fared no better, and their highest offer was $35,000.  And that’s where\r\nthings have remained since October 4.\r\nThat is, until yesterday when AlphV emailed the firm again and this time included clients and DataBreaches in the\r\ndistribution list. To show Cadre’s clients how serious it was, they included sample files from the data leak that\r\nwould be made today. One file included a screencap of a .csv file with employees’ 401k data with date of birth,\r\ndate of hire, SSN, name, address, wage information, etc. Another file included an applicant’s data in the form of I-9 records. And to make life even more difficult for Cadre, they showed the clients how Cadre attempted to\r\nminimize the severity of the situation by saying that their logs did not indicate any SSN were likely to have been\r\naccessed:\r\nhttps://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/\r\nPage 2 of 4\n\n“Our firewall logs show that there was normal internet traffic between the time of attack and when we\r\nunplugged the system. This suggests that personal information, including demographic data, social\r\nsecurity numbers, and other information was likely not compromised,” they would tell a client.\r\n“Likely not compromised? By September 29, when that email exchange took place, Cadre had already had one\r\nweek to figure out that AlphV had acquired a lot of files with personal information.\r\nYesterday, DataBreaches emailed Cadre some questions after looking at a preview of the upcoming data leak and\r\nnoting a lot of concerning files. The questions asked whether the firm had any cyberinsurance or insurance to help\r\nthem recover from this attack. The second question was whether Cadre had any usable backups for the data AlphV\r\nhad locked.  The third question asked how many employees and applicants had their personal information\r\naccessed or acquired. The fourth question asked whether they had contacted law enforcement and whether they\r\nhad notified anyone whose personal information was stolen.\r\nNo response was received, even though DataBreaches noted that if they were concerned that AlphV was still in\r\ntheir system, they could call this site from a personal mobile number.\r\nSo today AlphV uploaded what they say is the first part of the data leak. In one folder alone, there were almost\r\n4,400 files with detailed personal and identity information on people seeking work. Most of these records used the\r\nDepartment of Homeland Security e-verify system. The forms included name, address, date of birth, Social\r\nSecurity number, and other identity information such as driver’s license or passport, etc.  Some of the information\r\nmay now be inaccurate because many of these 4,400 files are more than a decade old.  Why these files were not\r\nencrypted or stored offline is unknown to DataBreaches, but that was just one folder. Many other folders and files\r\nalso appear to contain varying amounts of personal information.\r\nCadre appears to have somewhat of an incident response nightmare on their hands. Hopefully, they have usable\r\nbackups, but they will still have a slew of individual notifications to make to people whose durable personal\r\nidentity information has not only been compromised but has now been made freely available. And hopefully, they\r\nhttps://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/\r\nPage 3 of 4\n\nalso have cyberinsurance or some policy that may help pay the recovery and incident response costs that will\r\nmount up.\r\nNote: DataBreaches notes that it’s always possible that Cadre never intended to pay at all and was just stalling\r\nfor time by appearing to negotiate.  \r\nSource: https://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/\r\nhttps://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreaches.net/another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv/"
	],
	"report_names": [
		"another-small-firm-suffers-a-serious-ransomware-attack-cadre-services-gets-mauled-by-alphv"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775701392,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c267080d9a999024efcf6e8080055569dd842f42.pdf",
		"text": "https://archive.orkl.eu/c267080d9a999024efcf6e8080055569dd842f42.txt",
		"img": "https://archive.orkl.eu/c267080d9a999024efcf6e8080055569dd842f42.jpg"
	}
}