Under Review INACTIVE

BlackCat / ALPHV

Also known as: ALPHV, Noberus, UNC4466

Affiliation Cybercriminal (Russian-speaking)

Motivation Financial

Status inactive

Country Unknown

First Seen 2021

Last Seen 2024

Target Sectors Healthcare, Financial Services, Technology, Government, Critical Infrastructure

Target Geographies Global, United States, Europe

Executive Summary

BlackCat (also known as ALPHV and Noberus) was a ransomware-as-a-service (RaaS) operation active from November 2021 until early 2024. The group was the first major ransomware operation to use the Rust programming language, which provided cross-platform capabilities (Windows, Linux, VMware ESXi) and hindered reverse engineering. Public reporting consistently describes the operation as Russian-speaking, but the cited sources do not justify a specific country field beyond that criminal ecosystem context.

The operation accumulated over 1,000 victims globally before an FBI-led disruption in December 2023. BlackCat’s affiliates targeted high-value sectors including healthcare, with the February 2024 attack on Change Healthcare (UnitedHealth Group) disrupting healthcare claims processing across the United States. The group is assessed to include former members of the DarkSide/BlackMatter ransomware operations.

Notable Campaigns

2024 — Change Healthcare Attack

A BlackCat affiliate compromised Change Healthcare, a subsidiary of UnitedHealth Group processing approximately 50% of U.S. medical claims. The attack caused weeks of disruption to pharmacies, hospitals, and insurance billing nationwide. UnitedHealth Group reportedly paid a $22 million ransom. The breach affected protected health information of an estimated 100 million individuals.

2023 — MGM Resorts and Caesars Entertainment

BlackCat affiliates, working with the Scattered Spider group, compromised MGM Resorts International and Caesars Entertainment through social engineering of IT help desks. The MGM attack caused an estimated $100 million in losses from casino and hotel system shutdowns.

2022-2023 — Healthcare Sector Targeting

CISA and FBI issued multiple advisories warning of BlackCat targeting the healthcare sector, with attacks on hospital systems disrupting patient care. The group’s healthcare targeting drew particular law enforcement attention.

Technical Capabilities

The BlackCat ransomware binary was written in Rust, providing cross-platform compilation, memory safety, and resistance to static analysis. The ransomware supported configurable encryption modes (full, fast, auto, smart) and could target Windows, Linux, and VMware ESXi environments from a single codebase.

ExMatter served as the group’s primary data exfiltration tool, selectively stealing files based on extension and uploading them to attacker-controlled infrastructure before encryption. The Sphynx variant (version 2.0) added improved evasion capabilities and embedded tooling for lateral movement.

BlackCat operated as a RaaS, providing affiliates with a customizable ransomware builder, negotiation panel, and data leak site. The operation took a 10-20% commission on ransom payments, with affiliates handling initial access and deployment.

Attribution

The FBI and CISA attributed BlackCat/ALPHV as a Russian-speaking cybercriminal operation in multiple advisories. In December 2023, the DOJ announced the disruption of BlackCat infrastructure, seizure of the group’s Tor-based leak site, and release of decryption keys for approximately 500 victims. The group briefly attempted to resume operations before conducting an apparent exit scam in March 2024 after receiving the Change Healthcare ransom payment.

Analysis by multiple security firms indicates that BlackCat’s developers were previously associated with the DarkSide (Colonial Pipeline) and BlackMatter ransomware operations, based on code similarities and operational patterns.

MITRE ATT&CK Profile

Initial Access: BlackCat affiliates use various access methods including valid accounts from access brokers (T1078), exploitation of public-facing applications (T1190), and social engineering of help desk personnel.

Execution: The Rust-based ransomware is executed via command line with configuration flags. PowerShell (T1059.001) and PsExec are used for deployment across networks.

Defense Evasion: The ransomware deletes volume shadow copies (T1490), terminates security processes (T1562.001), and modifies boot configuration to prevent recovery.

Exfiltration: ExMatter exfiltrates selected files to cloud storage (T1567.002) before encryption begins.

Impact: File encryption (T1486), service termination (T1489), and data leak site publication for double extortion.

Sources & References

CISA: Advisory AA23-353A - BlackCat/ALPHV — CISA, 2023-12-19
US DOJ: ALPHV/BlackCat Ransomware Disrupted — US Department of Justice, 2023-12-19
FBI: BlackCat/ALPHV Flash Alert — FBI, 2022-04-19
Microsoft: The Many Lives of BlackCat Ransomware — Microsoft Security, 2022-06-13

Known Tools

BlackCat ransomware ExMatter Eamfo Cobalt Strike Mimikatz Sphynx