Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.
BlackCat
BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service operation that emerged in late 2021 and became one of the most prominent enterprise-targeting extortion threats.
Profile source: Mallory opens in a new tabBlackCat
Family profile
BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service operation that emerged in late 2021 and became one of the most prominent enterprise-targeting extortion threats. The operation provides file-encrypting malware and supporting extortion infrastructure to affiliates, who conduct intrusions, steal data, encrypt victim systems, and pressure organizations into paying for decryption and to prevent public data leaks. Reporting links the operation to attacks against more than 1,000 organizations before major law-enforcement disruption in late 2023. Victims have included organizations in healthcare, financial services, hospitality, retail, nonprofits, medical technology, law firms, school districts, and other sectors, including attacks affecting critical infrastructure and healthcare-related entities.
BlackCat is characterized by double-extortion tradecraft in which affiliates first compromise corporate networks, conduct data theft, and then deploy ransomware to disrupt operations while threatening publication of stolen information. The group’s affiliate model involved revenue sharing with operators retaining a percentage of proceeds. Court records and public reporting also show affiliates using BlackCat directly against U.S. organizations, combining network intrusion, data theft, encryption, and extortion. The operation maintained negotiation and extortion portals used to communicate with victims and manage affiliate activity.
The group has been associated with aggressive extortion practices, including pressure tactics tailored to victims’ financial circumstances and willingness to pay. Publicly documented incidents show BlackCat operators and affiliates leveraging stolen internal information to maximize ransom demands. Law-enforcement action in December 2023 disrupted parts of the operation, including seizure of infrastructure and deployment of a decryption capability that helped victims recover systems without payment. Subsequent reporting described the operation as defunct or heavily disrupted, though it remained widely recognized as a major ransomware brand.
Capabilities
- Exfiltration
- Extortion
- Post Exploitation
Ransomware.live
Operational record
Reported operators
Threat actors
14 named in public reportingThe KeeLoader used in the attack installed Cobalt Strike, and its watermark, 678358251, was found to be indirectly related to BlackCat and BlackBasta.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
The BlackCat (or ALPHV) ransomware came to prominence in late 2021 and is the first known ransomware to be written in the Rust programming language.
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
GOLD HARVEST has been known to operate as a ransomware affiliate, deploying ALPHV ransomware in attacks on MGM Resorts in 2023 and reportedly using RansomHub in attacks throughout 2024.
DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.
DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.
Nitrogen was first observed in 2023, using ALPHV, one of the most prevalent ransomware variants at that time.
...delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
Exploited software
Vulnerabilities linked to BlackCat
17 CVEsMITRE ATT&CK
BlackCat in ATT&CK
88 distinct techniquesTechniques
88 techniquesReporting
Research mentioning BlackCat
Nigeria Deepens Cybersecurity Efforts as Cybercriminals See More Profits
You May Also Like ... US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
The inside job that cost ransomware victims millions | Malwarebytes
Martino used an intermediary chat channel to relay clients’ confidential material to negotiators for the BlackCat/ALPHV ransomware gang... In May 2023, Martino signed up as a BlackCat affiliate himself... The trio began deploying BlackCat directly against additional victims.
Manage Vendor Risk in a Few Practical Steps
You May Also Like ... US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
Переговорщик работал на вымогателей и получил почти 6 лет тюрьмы - Хакер
...за сотрудничество с вымогательской группировкой BlackCat. ... весной 2023 года Мартино наладил контакт с участниками хак-группы BlackCat (она же ALPHV) ... После этого Мартино, Голдберг и Мартин стали самостоятельно атаковать организации с помощью BlackCat, то есть взламывали корпоративные сети, похищали данные и развертывали шифровальщик.
U.S. Security Expert Sentenced for Aiding BlackCat Ransomware Gang - CySecurity News - Latest Information Security and Hacking Incidents
Angelo Martino pleaded guilty to providing confidential victim information to the BlackCat/Alphv cybercrime group ... Prosecutors revealed that Martino also assisted co-conspirators ... in deploying BlackCat ransomware against U.S. victims for six months in 2023.
Ransomware negotiator hired to represent victims was working for the attackers - Ars Technica
Martino and co-conspirators ... deployed the BlackCat ransomware themselves against five other victims ... “As an ALPHV BlackCat affiliate, the three men deployed ransomware against five victims...”
Cybersecurity Negotiator Gets 70 Months for Helping BlackCat Extort Victims
A former ransomware negotiator who supplied BlackCat ransomware with confidential information from companies seeking help has been sentenced to 70 months in federal prison. Angelo Martino ... conspired with operators of the ALPHV, also known as the BlackCat ransomware group.
Third US Security Expert Sentenced to Prison for Helping Ransomware Gang - SecurityWeek
Angelo Martino, a former ransomware negotiator, was sentenced to 70 months for helping the BlackCat/Alphv group.