BlackCat (cyber gang)

Last updated
BlackCat/ALPHV
Formation2021
TypeHacking
Parent organization
 FIN7, DarkSide (hacker group)

BlackCat, also known as ALPHV [1] and Noberus, [2] is a computer ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploited it.

Contents

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments. For initial access, the ransomware relies essentially on stolen credentials obtained through initial access brokers. The group operated a public data leak site to pressure victims to pay ransom demands.

The group targeted hundreds of organizations worldwide, including Reddit in 2023 and Change Healthcare in 2024. [3] Since its first appearance it was one of the most active ransomware operations. [4]

As of February 2024, the U.S. Department of State was offering rewards of up to US$10 million for leads that could identify or locate ALPHV/BlackCat ransomware gang leaders. [5]

In March 2024, a representative for BlackCat said that the group was shutting down in the aftermath of the 2024 Change Healthcare ransomware attack. [6] As of early 2025 it had apparently disappeared. [7]

Description

The group behind BlackCat utilizes mostly double extortion tactic but sometimes includes triple extortion which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure. [8]

BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. According to the FBI, many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/Blackmatter, indicating they have extensive networks and experience with ransomware operations. [1]

The group is known for being the first ransomware to create a public data leaks website on the open internet. Previous cyber gangs typically published stolen data on the dark web. BlackCat's innovation was to post excerpts or samples of victims' data on a site accessible to anyone with a web browser. Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data. [9] The group also mimics its victims' websites to post stolen data on typo squatted replicas on the web. [10]

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat". [11]

History

Beginning (2021-2022)

The malware was first observed by researchers from the MalwareHunterTeam in mid-November 2021. [8]

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter. [8] According to some experts, the ransomware might be a rebranding of DarkSide, after their May 2021 attack on the Colonial Pipeline. [12] It might also be a successor to the REvil cybercriminal group which was dismantled in late 2021. [9]

Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific. [13]

In September 2022, a report noted that the ransomware was using the Emotet botnet. [8]

In late May 2022, a European government was attacked and asked US$5 million in ransom. [8]

Sphynx variant (2023)

At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network. [13]

In February 2023, a variant called "Sphynx" was released with updates to increase speed and stealth. As of May 2023, the group is estimated to have targeted over 350 victims globally since its emergence. [2]

In June 2023, the group claimed responsibility for a February 2023 breach of Reddit's systems. On their data leak site, they claimed that they stole 80 GB of compressed data and demanded a $4.5 million ransom from Reddit. This attack did not involve data encryption like typical ransomware campaigns. [14]

Takedown (December 2023)

Website seizure notice placed on an Alphv/Blackcat website. Alphv Blackcat takedown.png
Website seizure notice placed on an Alphv/Blackcat website.

On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.” [15]

The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool. The tool could be used by ransomware victims to decrypt their files without paying the ransom. [16]

As of February 2024, U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders. They are offering an additional $5 million reward for tips on people who take part in ALPHV ransomware attacks. [5]

Attack on Hong Kong's Consumer Council (May 2024)

In May 2024, The Standard (Hong Kong) reported that Hong Kong's Consumer Council had been the target of "a ransomware attack on its servers and endpoint devices" and that such an attack had been conducted by ALPHV. [17]

Tactics and techniques

So-called "threat actors" associated with BlackCat were observed to use "malvertising", an "SEO poisoning" technique" that uses advertising to trick users searching for applications like WinSCP to download and spread its malware; as Ravie Lakshmanan noted, writing for The Hacker News , the approach

typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages [18]

that is, using hijacked webpages of legitimate organizations to redirect users to pages hosting malware. [18]

The rogue WinSCP installer then distributes a backdoor containing coding termed a "Cobalt Strike beacon" that allows follow-on intrusions by the hackers; access afforded by the beacon allows for reconnaissance, data exfiltration, and security tampering by the beacon, as well as for its lateral movement. The threat actors also gained administrative privileges, and thus began setting up backdoors before the attack was discovered. [18] The ransomware incorporates techniques like junk code and encrypted strings to avoid detection.[ citation needed ]

Specifically, the gang uses Emotet botnet malware as an entry point, and Log4J Auto Expl to propagate the ransomware laterally within the network.[ jargon ] [8] [ verification needed ] The group abuses Group Policy Objects (GPOs) to distribute malware and disable security controls across networks.[ jargon ] [19] The malware uses tools like ExMatter to steal sensitive data before deploying ransomware to encrypt files.[ jargon ] [13] Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency.[ jargon ] [2]

Uses

MGM and Caesars

Scattered Spider, an affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV [20] ) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts International and Caesars Entertainment, the two largest casino operators and gaming companies in Las Vegas and some of the largest in the world. The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. MGM, however, did not pay the ransom and instead shut down all systems for a period of weeks. This further affected MGM's online offerings, such as its sports betting platform BetMGM. [21] [22] [23] The cyberattack on MGM led to a significant impact of $100 million on the company's financial performance for the third quarter of 2023. [24]

Motel One

ALPHV was also used to conduct a ransomware attack against Motel One, though the company stated that its normal business operations were never at risk. The hackers were able to access some customer data and an estimated 150 credit cards. [20]

Change Healthcare (UnitedHealth Group)

BlackCat was reported to be behind the 2024 Change Healthcare ransomware attack. Change Healthcare paid a $22 million ransom to recover data after the attack. However, a payment dispute between BlackCat and an affiliate involved with the attack has resulted in a BlackCat representative claiming that the group is shutting down and selling the source code for its ransomware products. This dispute has been viewed as a potential exit scam by the developers. [6]

Related Research Articles

Ransomware is a type of malware that encrypts the victim's personal data until a ransom is paid. They commonly use difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Sometimes the original files can be retrieved without paying the ransom due to implementation mistakes, leaked cryptographic keys or a complete lack of encryption in the ransomware.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running on Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since 2010.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. The group provides ransomware as a service.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, was a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

Qilin is a Russian-speaking cybercrime organisation that has been linked to a number of incidents, including a ransomware attack on hospitals in London.

Akira (ransomware) is a malware which emerged in March 2023. It targeted over 250 entities: the government sector, businesses in Canada, US, Australia (Nissan), critical infrastructure entities (the Finnish IT services provider Tietoevry), universities (Stanford University). Akira is offered as ransomware-as-a-service.

References

  1. 1 2 "FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware | CISA". www.cisa.gov. 2022-04-22. Retrieved 2023-07-14.
  2. 1 2 3 Ravie, Lakshmanan (2023-06-01). "Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics". The Hacker News. Retrieved 2023-07-25.
  3. Lyons, Jessica. "Reddit confirms BlackCat ransomware gang stole its data". www.theregister.com. Retrieved 2024-03-03.
  4. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  5. 1 2 Gatlan, Sergiu (15 February 2024). "US offers up to $15 million for tips on ALPHV ransomware gang". BleepingComputer.
  6. 1 2 "BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security". 2024-03-05. Retrieved 2024-05-21.
  7. Milmo, Dan (5 February 2025). "Global ransomware payments plunge by a third amid crackdown". The Guardian.
  8. 1 2 3 4 5 6 "Ransomware Spotlight: BlackCat - Security News". www.trendmicro.com. Retrieved 2023-07-14.
  9. 1 2 "The Royal & BlackCat Ransomware: What you Need to Know | Tripwire". www.tripwire.com. Retrieved 2023-07-26.
  10. "ALPHV/BlackCat Clones Victim's Website to Post Stolen Data". Cyware Hacker News. Cyware Labs. Retrieved 2023-07-26.
  11. "Ransomware Spotlight: Royal – Security News". www.trendmicro.com. Retrieved 2023-07-11.
  12. "Breaking Down the BlackCat Ransomware Operation". cisecurity.org. 7 July 2022.
  13. 1 2 3 "The Rise of BlackCat Ransomware: A Dark Tale of Cybercrime". Cyware Hacker News. Cyware Labs. 2023-07-26. Retrieved 2023-07-26.
  14. "The Week in Ransomware - June 23rd 2023 - The Reddit Files". BleepingComputer. Retrieved 2023-07-25.
  15. Hay Newman, Lily (Dec 19, 2023). "A Major Ransomware Takedown Suffers a Strange Setback". Wired. Archived from the original on Dec 20, 2023.
  16. "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant". U.S. Department of Justice. Dec 19, 2023.
  17. Shi, Stacy (3 May 2024). "Consumer Council's security weaknesses blamed for leak". The Standard. Retrieved 3 May 2024.
  18. 1 2 3 Lakshmanan, Ravie (Jul 3, 2023). "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising". The Hacker News. Retrieved 2023-07-25.
  19. "BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration". Security Intelligence. Retrieved 2023-07-25.
  20. 1 2 Page, Carly (2023-10-03). "Motel One says ransomware gang stole customer credit card data". TechCrunch. Retrieved 2023-10-03.
  21. Siddiqui, Zeba; Satter, Raphael; Satter, Raphael (2023-09-22). "'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars". Reuters. Retrieved 2023-10-03.
  22. "Hackers tied to Las Vegas attacks known for sweet-talking their way into company systems". NBC News. 2023-09-15. Retrieved 2023-10-03.
  23. Brewer, Contessa; Goswami, Rohan (2023-09-14). "Caesars paid millions in ransom to cybercrime group prior to MGM hack". CNBC. Retrieved 2023-10-03.
  24. "UnitedHealth says 'Blackcat' ransomware group behind hack at tech unit". Reuters .

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.