Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Threat actors
>
Ransomware Group

ALPHV Blackcat

ALPHV, also known by the name BlackCat or Noberus, is a ransomware strain used in Ransomware as a Service (RaaS) operations.

Detect TTPs used by ALPHV
Is Your Organization Safe from ALPHV Attacks?
Background
Targets
TTPs
Detection
FAQs

The Origin of ALPHV BlackCat

Developed using the Rust programming language, ALPHV can run on various operating systems including Windows, Linux (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi.

It is marketed under the name ALPHV on cybercrime forums, although security researchers often refer to it as BlackCat, a nod to the black cat icon displayed on its leak site.

Since its first observed deployment in ransomware attacks on November 18, 2021, ALPHV has shown versatility in its encryption capabilities, supporting both AES and ChaCha20 algorithms.

To ensure maximum disruption, ALPHV can eliminate volume shadow copies, terminate processes and services, and shut down virtual machines on ESXi servers.

Additionally, it has the capability to self-propagate across local networks by using PsExec to execute remotely on other hosts.

ALPHV Blackcat was disrupted by the FBI in December 2023.

The Origin of ALPHV BlackCat
Targets

ALPHV's Targets

Countries targeted by ALPHV

ALPHV Blackcat mostly targeted the USA, followed by Germany and other european countries such as France, Spain and Netherlands.

Source: Palo Alto

Industries targeted by ALPHV

Researchers have examined over 210 announcements related to BlackCat ransomware, finding that the "Professional, Scientific, and Technical Services" and "Manufacturing" sectors are its main targets, with law firms and legal services being the most affected within the professional services industry.

Source: SOCradar

Industries targeted by ALPHV

Researchers have examined over 210 announcements related to BlackCat ransomware, finding that the "Professional, Scientific, and Technical Services" and "Manufacturing" sectors are its main targets, with law firms and legal services being the most affected within the professional services industry.

Source: SOCradar

ALPHV Blackcat's Victims

To date, more than 724 victims have fallen prey to ALPHV’s malicious operations.

Source: ransomware.live

Attack Method

ALPHV Blackcat's Attack Method

Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Execution
Exfiltration
Impact
A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

ALPHV primarily targets vulnerabilities in public-facing applications, likely exploiting these flaws to infiltrate network systems. In some instances, it also utilizes legitimate domain accounts, which may be obtained through previous breaches or credential theft, to gain a foothold in the network.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

Once inside the network, ALPHV escalates its privileges by leveraging these same valid domain accounts, granting itself higher levels of access that are typically reserved for administrators. This escalation is critical for deepening its control over the system. In terms of execution, ALPHV utilizes the Windows Command Shell to run malicious commands and scripts, which facilitate the deployment and propagation of the ransomware.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

To evade detection and hinder defensive responses, ALPHV actively disables or modifies security tools that could detect or block its activities.This includes terminating antivirus programs and disabling security services, creating a more permissive environment for its operations.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

ALPHV's impact on the compromised systems is severe; it encrypts critical data using robust encryption algorithms, which renders files inaccessible to users. Additionally, it undermines system recovery efforts by deleting shadow copies and disabling recovery tools, which exacerbates the disruption caused and pressures victims into meeting ransom demands to restore access to their data.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

ALPHV primarily targets vulnerabilities in public-facing applications, likely exploiting these flaws to infiltrate network systems. In some instances, it also utilizes legitimate domain accounts, which may be obtained through previous breaches or credential theft, to gain a foothold in the network.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

Once inside the network, ALPHV escalates its privileges by leveraging these same valid domain accounts, granting itself higher levels of access that are typically reserved for administrators. This escalation is critical for deepening its control over the system. In terms of execution, ALPHV utilizes the Windows Command Shell to run malicious commands and scripts, which facilitate the deployment and propagation of the ransomware.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

To evade detection and hinder defensive responses, ALPHV actively disables or modifies security tools that could detect or block its activities.This includes terminating antivirus programs and disabling security services, creating a more permissive environment for its operations.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access
A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery
A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement
A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution
A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration
A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

ALPHV's impact on the compromised systems is severe; it encrypts critical data using robust encryption algorithms, which renders files inaccessible to users. Additionally, it undermines system recovery efforts by deleting shadow copies and disabling recovery tools, which exacerbates the disruption caused and pressures victims into meeting ransom demands to restore access to their data.

MITRE ATT&CK Mapping

TTPs used by ALPHV

ALPHV exhibits a methodical and multifaceted approach to its ransomware attacks, ensuring effectiveness across various stages of the intrusion cycle.

TA0001: Initial Access
T1190
Exploit Public-Facing Application
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
T1078
Valid Accounts
TA0004: Privilege Escalation
T1078
Valid Accounts
TA0005: Defense Evasion
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1558
Steal or Forge Kerberos Tickets
T1555
Credentials from Password Stores
T1552
Unsecured Credentials
TA0007: Discovery
No items found.
TA0008: Lateral Movement
No items found.
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1490
Inhibit System Recovery
T1657
Financial Theft
T1486
Data Encrypted for Impact
Platform Detections

How to Detect ALPHV with Vectra AI

AWS Ransomware S3 Activity

M365 Ransomware

Ransomware File Activity

View more detections
Assess your attack exposure

FAQs

What is ALPHV BlackCat?

ALPHV BlackCat, also known as Noberus, is a sophisticated ransomware variant written in Rust, utilized in Ransomware as a Service (RaaS) operations. It is capable of targeting multiple operating systems, including Windows, Linux, and VMWare ESXi.

How does ALPHV BlackCat gain initial access to a network?

ALPHV BlackCat typically gains initial access through exploits in public-facing applications or by using valid domain accounts that may have been compromised.

What are the primary targets of ALPHV BlackCat?

ALPHV BlackCat mainly targets industries such as Professional, Scientific, and Technical Services and Manufacturing, with a particular focus on law firms and legal services within the professional sector.

What encryption algorithms does ALPHV BlackCat use?

ALPHV BlackCat can be configured to use either AES or ChaCha20 encryption algorithms to lock victim data.

How does ALPHV BlackCat evade detection?

The ransomware employs various techniques to evade detection, including disabling security tools and modifying system processes to hinder defensive measures.

What can organizations do to protect against ALPHV BlackCat attacks?

Organizations should implement robust security measures including regular patching, using advanced endpoint protection, conducting employee security awareness training, and deploying an AI-driven threat detection platform like Vectra AI to detect and respond to threats more effectively.

How does ALPHV BlackCat impact affected systems?

ALPHV BlackCat's impact includes encrypting important files, deleting volume shadow copies, and stopping critical services and virtual machines to maximize disruption and pressure victims into paying the ransom.

Does ALPHV BlackCat have any self-propagation capabilities?

Yes, ALPHV BlackCat can self-propagate within a network using tools like PsExec to execute remotely on other hosts in the local network.

How should IT teams respond to an ALPHV BlackCat infection?

Immediate isolation of affected systems, identification and revocation of compromised credentials, eradication of the ransomware’s presence, and restoration from backups are critical steps, alongside a thorough investigation to prevent future breaches.

What role does AI-driven threat detection play in combating ALPHV BlackCat?

AI-driven threat detection platforms, such as Vectra AI, play a crucial role in identifying subtle signs of ALPHV BlackCat activities and other sophisticated threats by analyzing patterns and anomalies that indicate malicious behavior, enabling faster and more effective responses.

Is Your Organization Safe from ALPHV Attacks?

Assess your attack exposure