Profile: ALPHV/BlackCat ransomware

From: Canadian Centre for Cyber Security

June 30, 2023

Executive summary

BlackCat ransomware is operated by ALPHV. The Cyber Centre assesses that ALPHV is almost certainly a financially motivated, Russian-speaking, ransomware-as-a-service (RaaS) cybercrime group that is very likely based in a Commonwealth of Independent States (CIS) country.Footnote 1

ALPHV/BlackCat users and source code are related to ransomware groups/variants BlackMatter and DarkSide.Footnote 1

There is no pattern to victimization that suggests deliberate targeting. The Cyber Centre assesses that ALPHV and its affiliates almost certainly select victims based on opportunity.

ALPHV/BlackCat has presented a consistent threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.

Overview

BlackCat ransomware is operated in a RaaS model by ALPHV, a Russian-speaking cybercrime group. A RaaS cybercrime group maintains the good functioning of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or all three.

The Cyber Centre assesses that ALPHV is almost certainly a financially motivated, Russian-speaking, RaaS cybercrime group that is very likely based in a CIS country. CIS refers to a regional collection of states that emerged from the Soviet Union.

ALPHV/BlackCat ransomware attacks were first reported in November 2021.Footnote 2

ALPHV claims to be a group of former DarkSide/BlackMatter ransomware affiliates who chose to develop their own ransomware. However, some analysts have speculated that ALPHV/BlackCat may in fact be former core group members of DarkSide/BlackMatter rather than affiliates.Footnote 3

ALPHV/BlackCat operators advertise their ransomware to potential affiliates in private forums, including the darknet forums XSS, Exploit, and RAMP5.Footnote 1

Notable tactics, techniques and procedures (TTPs)

ALPHV/BlackCat is the first known ransomware written in the “Rust” programming language and can infect both Windows and Linux-based systems.Footnote 1

ALPHV/BlackCat campaigns often involve triple-extortion, making ransom demands for:

  • the decryption of infected files
  • not publishing stolen data
  • not launching denial of service (DoS) attacksFootnote 1

Several open sources have published detailed analyses of ALPHV/BlackCat TTPs.Footnote 4

Conclusion

ALPHV/BlackCat has presented a consistent threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: