Skip to content
Ransomware group Windows

BlackCat

BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service operation that emerged in late 2021 and became one of the most prominent enterprise-targeting extortion threats.

Profile source: Mallory opens in a new tab

BlackCat

Family profile

BlackCat, also known as ALPHV and Noberus, is a ransomware-as-a-service operation that emerged in late 2021 and became one of the most prominent enterprise-targeting extortion threats. The operation provides file-encrypting malware and supporting extortion infrastructure to affiliates, who conduct intrusions, steal data, encrypt victim systems, and pressure organizations into paying for decryption and to prevent public data leaks. Reporting links the operation to attacks against more than 1,000 organizations before major law-enforcement disruption in late 2023. Victims have included organizations in healthcare, financial services, hospitality, retail, nonprofits, medical technology, law firms, school districts, and other sectors, including attacks affecting critical infrastructure and healthcare-related entities.

BlackCat is characterized by double-extortion tradecraft in which affiliates first compromise corporate networks, conduct data theft, and then deploy ransomware to disrupt operations while threatening publication of stolen information. The group’s affiliate model involved revenue sharing with operators retaining a percentage of proceeds. Court records and public reporting also show affiliates using BlackCat directly against U.S. organizations, combining network intrusion, data theft, encryption, and extortion. The operation maintained negotiation and extortion portals used to communicate with victims and manage affiliate activity.

The group has been associated with aggressive extortion practices, including pressure tactics tailored to victims’ financial circumstances and willingness to pay. Publicly documented incidents show BlackCat operators and affiliates leveraging stolen internal information to maximize ransom demands. Law-enforcement action in December 2023 disrupted parts of the operation, including seizure of infrastructure and deployment of a decryption capability that helped victims recover systems without payment. Subsequent reporting described the operation as defunct or heavily disrupted, though it remained widely recognized as a major ransomware brand.

Capabilities

  • Exfiltration
  • Extortion
  • Post Exploitation

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

14 named in public reporting
Scattered Spider

Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.

AdverCRow

The KeeLoader used in the attack installed Cobalt Strike, and its watermark, 678358251, was found to be indirectly related to BlackCat and BlackBasta.

Vanilla Tempest

Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.

BlackCat

The BlackCat (or ALPHV) ransomware came to prominence in late 2021 and is the first known ransomware to be written in the Rust programming language.

ambitious_scorpius

These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)

GOLD HARVEST

GOLD HARVEST has been known to operate as a ransomware affiliate, deploying ALPHV ransomware in attacks on MGM Resorts in 2023 and reportedly using RansomHub in attacks throughout 2024.

WIZARD SPIDER

DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.

Velvet Tempest

DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.

Nitrogen

Nitrogen was first observed in 2023, using ALPHV, one of the most prevalent ransomware variants at that time.

Storm-0501

...delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

ShadowSyndicate

“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”

FIN8

FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.

Cicada3301

“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”

UNC4466

“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”

Exploited software

Vulnerabilities linked to BlackCat

17 CVEs

MITRE ATT&CK

BlackCat in ATT&CK

88 distinct techniques

Techniques

88 techniques
T1486 Data Encrypted for Impact T1078 Valid Accounts T1567 Exfiltration Over Web Service T1657 Financial Theft T1071 Application Layer Protocol T1537 Transfer Data to Cloud Account T1070.004 File Deletion T1041 Exfiltration Over C2 Channel T1005 Data from Local System T1083 File and Directory Discovery T1574.011 Services Registry Permissions Weakness T1082 System Information Discovery T1112 Modify Registry T1033 System Owner/User Discovery T1087.002 Domain Account T1622 Debugger Evasion T1027 Obfuscated Files or Information T1059 Command and Scripting Interpreter T1543.003 Windows Service T1007 System Service Discovery T1202 Indirect Command Execution T1027.002 Software Packing T1485 Data Destruction T1140 Deobfuscate/Decode Files or Information T1499 Endpoint Denial of Service T1550.002 Pass the Hash T1490 Inhibit System Recovery T1656 Impersonation T1059.003 Windows Command Shell T1047 Windows Management Instrumentation T1133 External Remote Services T1105 Ingress Tool Transfer T1565.001 Stored Data Manipulation T1592.001 Hardware T1021 Remote Services T1021.001 Remote Desktop Protocol T1598.004 Spearphishing Voice T1059.004 Unix Shell T1568 Dynamic Resolution T1074 Data Staged T1018 Remote System Discovery T1496 Resource Hijacking T1562 Impair Defenses T1566 Phishing T1598 Phishing for Information T1020 Automated Exfiltration T1621 Multi-Factor Authentication Request Generation T1213 Data from Information Repositories T1199 Trusted Relationship T1491.001 Internal Defacement T1548.002 Bypass User Account Control T1571 Non-Standard Port T1016 System Network Configuration Discovery T1046 Network Service Discovery T1070.001 Clear Windows Event Logs T1055 Process Injection T1489 Service Stop T1021.002 SMB/Windows Admin Shares T1589.001 Credentials T1120 Peripheral Device Discovery T1036 Masquerading T1087 Account Discovery T1498 Network Denial of Service T1110 Brute Force T1069.002 Domain Groups T1567.002 Exfiltration to Cloud Storage T1134 Access Token Manipulation T1680 Local Storage Discovery T1570 Lateral Tool Transfer T1222.001 Windows File and Directory Permissions Modification T1561.001 Disk Content Wipe T1135 Network Share Discovery T1566.004 Spearphishing Voice T1190 Exploit Public-Facing Application T1053 Scheduled Task/Job T1059.001 Command and Scripting Interpreter: PowerShell T1072 Windows Management Instrumentation T1106 Native API T1569.002 System Services: Service Execution T1547 Server Software Component T1134.002 Access Token Manipulation: Create Process with Token T1497 Virtualization/Sandbox Evasion T1562.001 Impair Defenses: Disable or Modify Tools T1003.001 OS Credential Dumping: LSASS Memory T1552 Unsecured Credentials T1555 Credentials from Password Stores T1030 Data Transfer Size Limits T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Reporting

Research mentioning BlackCat

Jul 15
Dark Reading

Nigeria Deepens Cybersecurity Efforts as Cybercriminals See More Profits

You May Also Like ... US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity

Jul 14
Malwarebytes Labs

The inside job that cost ransomware victims millions | Malwarebytes

Martino used an intermediary chat channel to relay clients’ confidential material to negotiators for the BlackCat/ALPHV ransomware gang... In May 2023, Martino signed up as a BlackCat affiliate himself... The trio began deploying BlackCat directly against additional victims.

Jul 14
Dark Reading

Manage Vendor Risk in a Few Practical Steps

You May Also Like ... US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity

Jul 14
Xakep

Переговорщик работал на вымогателей и получил почти 6 лет тюрьмы - Хакер

...за сотрудничество с вымогательской группировкой BlackCat. ... весной 2023 года Мартино наладил контакт с участниками хак-группы BlackCat (она же ALPHV) ... После этого Мартино, Голдберг и Мартин стали самостоятельно атаковать организации с помощью BlackCat, то есть взламывали корпоративные сети, похищали данные и развертывали шифровальщик.

Jul 11
Cysecurity News

U.S. Security Expert Sentenced for Aiding BlackCat Ransomware Gang - CySecurity News - Latest Information Security and Hacking Incidents

Angelo Martino pleaded guilty to providing confidential victim information to the BlackCat/Alphv cybercrime group ... Prosecutors revealed that Martino also assisted co-conspirators ... in deploying BlackCat ransomware against U.S. victims for six months in 2023.

Jul 10
Arstechnica

Ransomware negotiator hired to represent victims was working for the attackers - Ars Technica

Martino and co-conspirators ... deployed the BlackCat ransomware themselves against five other victims ... “As an ALPHV BlackCat affiliate, the three men deployed ransomware against five victims...”

Jul 10
Hackread

Cybersecurity Negotiator Gets 70 Months for Helping BlackCat Extort Victims

A former ransomware negotiator who supplied BlackCat ransomware with confidential information from companies seeking help has been sentenced to 70 months in federal prison. Angelo Martino ... conspired with operators of the ALPHV, also known as the BlackCat ransomware group.

Jul 10
Security Week

Third US Security Expert Sentenced to Prison for Helping Ransomware Gang - SecurityWeek

Angelo Martino, a former ransomware negotiator, was sentenced to 70 months for helping the BlackCat/Alphv group.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.