BlackCat

ALPHV/BlackCat is a financially motivated ransomware-as-a-service (RaaS) operation and prolific ransomware operator, also referred to in the provided content as ALPHV, BlackCat, Noberus, and Embargo. The group was among the most active ransomware actors in 2023, with one cited source listing 387 victims, and NCC Group tracking placed BlackCat among the top active ransomware groups in September 2023. The content also notes reduced activity after the late-2023 “ALPHV/BlackCat Ransomware Disruption.” The actor is associated with real-world exploitation of vulnerabilities, including confirmed exploitation of CVE-2024-1709 in ConnectWise ScreenConnect. The group has been linked to high-profile extortion activity including the Change Healthcare incident, where the content states Change Healthcare allegedly paid a $22 million ransom. The content also states that ALPHV filed a complaint with the U.S. Securities and Exchange Commission in November 2023 regarding MeridianLink’s breach disclosure. ALPHV/BlackCat operates through affiliates. The content states that Scattered Spider may have been connected to ALPHV/BlackCat as an initial access broker or affiliate, and that Octo Tempest became an affiliate in mid-2023. According to Microsoft reporting cited in the content, Octo Tempest initially used the ALPHV Collections leak site for extortion and by June 2023 began deploying ALPHV/BlackCat ransomware payloads against Windows and Linux, with recent focus on VMware ESXi. The content also notes LockBit attempted to recruit affiliates from ALPHV after disruption allegations. Tactics and techniques directly mentioned in the content include sophisticated defense evasion and fileless malware techniques, including reflective code loading; use of commercial remote management tools by affiliates; and cloud-focused ransomware activity. In 2023, Sophos X-Ops reported that BlackCat deployed ransomware against victim Azure Storage accounts using the Sphynx encryptor by downloading blobs in bulk, encrypting them, and reuploading them. The content also states that in April 2023 ALPHV used an updated version of the POORTRY tool in the compromise of NCR, contributing to an outage affecting its Aloha point-of-sale platform. The content further indicates ecosystem and tooling overlap with other ransomware operations. Malware hashes associated with 8Base infrastructure were also observed on onion sites associated with ALPHV, BianLian, Knight, and Play, suggesting shared backend or infrastructure relationships in the broader ransomware ecosystem. Separate reporting in the content mentions indirect relationships between a Cobalt Strike watermark and BlackCat, and associations of Infostealer.Eamfo with Noberus alongside Cuba and LockBit attacks. Aliases directly supported by the content: ALPHV, BlackCat, Noberus, and Embargo.