Skip to main content

Ransomware victim disclosure

All victims

Cheval Blanc Randheli

Claimed by Aurora · listed 3 months ago

2m
Age
since listed · data leaked

Status timeline

  1. ListedApr 29, 2026
  2. Data leakeddate unknown

At a glance

Group
Aurora
Status
Data leaked
Country
Maldives
Listed on leak site
Apr 29, 2026

About the victim

AI dossier — public-source company profile

Cheval Blanc Randheli is an ultra-luxury private island resort operated by Cheval Blanc (an LVMH group brand) on Randheli Island in the Noonu Atoll, Maldives. The property caters to high-net-worth and VIP guests, including royalty and government officials, and operates under a management contract between LVMH and the property owner. It is one of a small number of Cheval Blanc branded properties worldwide.

Industry
Ultra-Luxury Resort & Hospitality
Address
Randheli Island, Noonu Atoll, Maldives
Employees
1000-2000
Founded
2013

Attack summary

Severity: critical — Mass exfiltration of regulated PII at extraordinary scale and sensitivity: 75,855 passport scans (full biographic pages including MRZ and signatures) for tens of thousands of individuals including named royalty and government officials; full home addresses; partial financial data; non-rotatable biometric templates; plaintext credentials granting ongoing infrastructure access; and confidential LVMH corporate and financial documents. This combines large-scale identity data, government/VIP exposure

The Aurora ransomware group claims to have exfiltrated a large volume of highly sensitive data from Cheval Blanc Randheli, including 75,855 passport scan images of an estimated 20,000–30,000 unique guests spanning a decade, full PMS guest profiles for 30,000–50,000 individuals, employee records including biometric data, plaintext credentials, BitLocker recovery keys, biometric templates, and confidential LVMH corporate documents. The data is described as published.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • Passport scan images (75,855 files, ~20,000–30,000 unique guests)
  • Guest PMS profiles (30,000–50,000 records incl. home addresses, partial card data)
  • VIP guest classification and stay histories
  • Employee salary records (2017–2026)
  • Employee medical insurance claims
  • Employee biometric enrollment data (fingerprint/facial, Gladis system)
  • Employee ID photos (~200)
  • Employee vacation/leave records
  • Key Management Personnel compensation details
  • BitLocker full-disk encryption recovery key
  • Plaintext system passwords (Passwords.docx)
  • Extranet and vendor credentials
  • 3CX VoIP SIP credentials and call routing configuration
  • LVMH–property owner management contract
  • Board investment recommendation (Velidhoo property)
  • 10 years of budgets and revenue forecasts
  • Audited subsidiary financial statements (I&T / Sitax)
  • LVMH White Book operational standards manual
  • Building Management System data (HVAC, power, desalination, lighting)

What the group claims

[lvmh] Guest Passport Scans — 75,855 Files, 10 Years The single largest data category: 75,855 passport scan images spanning January 2015 through October 2024, organised in daily folders within monthly and yearly directories. These represent an estimated 20,000–30,000 unique guests. Each scan contains the full passport bio page: photo, full name, date of birth, nationality, passport number, machine-readable zone (MRZ), and signature. Among the exposed passports: Qatar Royal Family members — 9 passport scans including Muhammad Mesned S M Al-Misned, Abdulla, Khalifa, Lolwa, Nasser, Alanoud, Bessy, and Mesned UAE VIP and government officials — including H.E. Ahmed Saif Ali Aldhabea Aldarmaki, H.E. Matar Suhail Ali Alyabhouni Aldhaheri, and members of an April 2024 private buyout group who arrived on private jets (tail numbers A6AUH, A6DAH) LVMH head-office executives — 7 passport/profile photos including named senior staff from Paris Guest PMS Data — 30,000–50,000 Profiles Opera PMS exports containing full names, home addresses (street-level), nationalities, VIP classification levels (A/B/C/G), partial credit card data (last-4 digits + expiry + card type), deposit amounts, booking confirmation numbers, stay histories, travel agent details, flight numbers, and guest preferences. Employee Records — 1,000–2,000 Individuals Ten years of salary records (2017–2026), medical insurance claims organised by department, ~200 ECARD ID photos, vacation/leave records, Key Management Personnel (KMP) compensation details, and biometric enrollment data from the Gladis facility-access system. Credentials and Infrastructure BitLocker recovery key — full disk-encryption key for the Windows server volume Passwords.docx — plaintext system password store covering revenue, PMS, and operational systems Extranet passwords — booking-portal and vendor credentials 3CX VoIP backup — SIP credentials, extension configurations, call routing rules Biometric templates (Gladis enrollment) — non-rotateable fingerprint/facial data Corporate-Sensitive Documents Management Contract of Cheval Blanc Randheli — the LVMH–property owner agreement containing fee structures, performance benchmarks, and brand license terms Board investment recommendation for Velidhoo — a potential new property with capital allocation and return projections 10 years of budgets and revenue forecasts Audited subsidiary financial statements (I&T / Sitax entities) White Book — the property's operational standards manual (proprietary LVMH brand IP) Building Management System data — HVAC, power, desalination, and lighting control files for island infrastructure

Sources

Source

Indexed 3 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About aurora

Aurora is a recently emerged ransomware group first observed in April 2026, operating with apparent financial motivations through targeted attacks across multiple sectors. Given its recent emergence, limited public documentation exists regarding the group's specific country of origin or affiliations with established ransomware operations, though its targeting patterns suggest a professional operation potentially operating as an independent entity rather than a known Ransomware-as-a-Service model. The group has demonstrated a preference for attacking business-critical sectors including business services, consumer services, manufacturing, healthcare, and financial services, with documented attacks spanning the United States, Canada, the Maldives, and Great Britain, though specific initial access vectors and technical methodologies remain undocumented by major threat intelligence firms. With only seven known victims documented since April 2026, Aurora represents a relatively small-scale operation compared to established ransomware families, though its cross-sector targeting approach and international victim scope indicate deliberate selection criteria rather than opportunistic attacks. The group remains active as of current reporting, though the limited victim count and recent emergence suggest either a highly selective targeting approach or a nascent operation still developing its operational capabilities. The group has been linked to 21 public disclosures across our corpus. First observed on a leak site on April 29, 2026; most recent post June 30, 2026. The operation is currently active.

Timeline of this disclosure

  • April 29, 2026Cheval Blanc Randheli listed by auroraon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Hospitality and Tourism sector, which has 452 disclosures indexed across all operators we track. Geographically, Cheval Blanc Randheli is reported in Maldives.

If your organisation is affected

A listing by aurora means Cheval Blanc Randheli appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Monitor for the data appearing on aurora's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.