June 30, 2023
Executive summary
BlackCat ransomware is operated by ALPHV. The Cyber Centre assesses that ALPHV is almost certainly a financially motivated, Russian-speaking, ransomware-as-a-service (RaaS) cybercrime group that is very likely based in a Commonwealth of Independent States (CIS) country.Footnote 1
ALPHV/BlackCat users and source code are related to ransomware groups/variants BlackMatter and DarkSide.Footnote 1
There is no pattern to victimization that suggests deliberate targeting. The Cyber Centre assesses that ALPHV and its affiliates almost certainly select victims based on opportunity.
ALPHV/BlackCat has presented a consistent threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.
Overview
BlackCat ransomware is operated in a RaaS model by ALPHV, a Russian-speaking cybercrime group. A RaaS cybercrime group maintains the good functioning of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or all three.
The Cyber Centre assesses that ALPHV is almost certainly a financially motivated, Russian-speaking, RaaS cybercrime group that is very likely based in a CIS country. CIS refers to a regional collection of states that emerged from the Soviet Union.
ALPHV/BlackCat ransomware attacks were first reported in November 2021.Footnote 2
ALPHV claims to be a group of former DarkSide/BlackMatter ransomware affiliates who chose to develop their own ransomware. However, some analysts have speculated that ALPHV/BlackCat may in fact be former core group members of DarkSide/BlackMatter rather than affiliates.Footnote 3
ALPHV/BlackCat operators advertise their ransomware to potential affiliates in private forums, including the darknet forums XSS, Exploit, and RAMP5.Footnote 1
Notable tactics, techniques and procedures (TTPs)
ALPHV/BlackCat is the first known ransomware written in the “Rust” programming language and can infect both Windows and Linux-based systems.Footnote 1
ALPHV/BlackCat campaigns often involve triple-extortion, making ransom demands for:
- the decryption of infected files
- not publishing stolen data
- not launching denial of service (DoS) attacksFootnote 1
Several open sources have published detailed analyses of ALPHV/BlackCat TTPs.Footnote 4
Conclusion
ALPHV/BlackCat has presented a consistent threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.