BlackShrantac Ransomware Group Claims Breach of LM Metro Hotel in Zamboanga City
A Philippine-based hospitality company has allegedly fallen victim to a ransomware attack after the BlackShrantac Ransomware Group claimed responsibility for breaching LM Metro Hotel, a hotel located in Zamboanga City, Philippines.
The claim surfaced on a Tor-based leak site operated by the group, where multiple screenshots were published as proof of compromise, showing what appears to be internal documents, spreadsheets, identification records, system files, and operational materials belonging to the hotel.
According to the threat actor’s post, the compromised organization is associated with the domain lmmetrohotelph.com, and the attackers claim to have exfiltrated approximately 30GB of data. The leaked samples suggest that the stolen information includes guest personal data such as names, addresses, phone numbers, check-in and check-out records, and room usage history. In addition to guest-related information, the attackers also claim access to reservation and booking system data, including VIP guest details, group bookings, and event arrangements, raising concerns about the potential exposure of sensitive hospitality operations.
Further examination of the leak samples indicates that employee and internal business data may also have been affected. The published materials appear to include HR-related records, payroll information, work schedules, access permissions, internal logs, insurance-related documents, accounting files, hotel lock system manuals, and inventory or asset listings. Several folders and filenames visible in the screenshots suggest the presence of internal administrative files and confidential business documentation, which could pose operational and reputational risks if fully released.
The BlackShrantac Ransomware Group also showcased what it claims to be identification documents, scanned forms, spreadsheets, and internal reports as part of its proof-of-breach strategy. Such disclosures are commonly used by ransomware operators to pressure victims into paying a ransom by demonstrating the severity of the compromise and the potential impact of a full public data release. At the time of writing, there is no indication of whether negotiations are ongoing or if a ransom demand has been issued publicly.
BlackShrantac is a relatively lesser-known ransomware group but appears to follow a double extortion model, wherein data is exfiltrated prior to encryption and later threatened with publication if the victim refuses to comply with demands. The group’s leak site presentation and data organization mirror tactics commonly used by established ransomware operations, suggesting a structured approach rather than an opportunistic attack.
As of now, LM Metro Hotel has not released an official public statement confirming or denying the breach. It also remains unclear whether local authorities or the National Privacy Commission (NPC) have been notified, which would be required under Philippine data protection laws if personal information was indeed compromised.
