BlackCat
BlackCat, also known as ALPHV and Noberus, is a ransomware family and ransomware-as-a-service (RaaS) operation that emerged in late 2021. It is widely noted as the first known ransomware written in Rust. The malware has both Windows and Linux variants, and reporting specifically notes deployments against VMware ESXi servers. BlackCat became one of the most prolific ransomware operations of 2023, with one cited count of 387 victims, and it has been linked in reporting to the 2023 MGM Resorts attack and the Change Healthcare incident.
BlackCat is operated through an affiliate model. Reported affiliates and associated clusters include Octo Tempest, also tracked as Scattered Spider/UNC3944 overlap, which became an ALPHV/BlackCat affiliate in mid-2023. Octo Tempest initially used the ALPHV leak site for data extortion and by June 2023 began deploying BlackCat ransomware payloads for both Windows and Linux, later focusing primarily on ESXi environments. Other reporting notes BlackCat payload use by Vice Society and by affiliates tracked as Ambitious Scorpius.
Observed behavior includes encryption of victim systems and double-extortion operations via leak-site pressure. BlackCat operators have required an execution password or command-line access token before encryption begins. On compromised hosts, BlackCat has been documented using net use commands to discover usernames and identify domain users. Affiliates associated with the operation have used ADRecon in multiple intrusions for Active Directory reconnaissance. Reporting also notes Azure-focused activity: in 2023, Sophos X-Ops reported that the BlackCat gang deployed the Sphynx encryptor against victim Azure Storage accounts by downloading blobs in bulk, encrypting them, and reuploading them to overwrite the originals; this method required only data-plane permissions such as a compromised storage account access key.
Initial access and exploitation associated with BlackCat activity include confirmed real-world exploitation of CVE-2024-1709, an authentication bypass vulnerability in ConnectWise ScreenConnect, by the BlackCat/ALPHV ransomware gang. Reporting also references indirect linkage between a Cobalt Strike watermark (678358251) found in an intrusion and BlackCat and Black Basta.
Targeting reflected in the provided content spans multiple sectors, including gaming, hospitality, healthcare, manufacturing, retail, technology, financial services, managed service providers, law, natural resources, and consumer products. BlackCat has also been referenced in healthcare-sector intrusions and in cloud storage extortion scenarios. Known aliases in the content are ALPHV, ALPHV_BlackCat, BlackCat, and Noberus.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
16 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2024–1709 is an Authentication Bypass Vulnerability in ConnectWise ScreenConnect instances caused by inadequate validation of URLs and insufficient access control, and it is a high severity vulnerability with confirmed real world exploitation by the BlackCat/Alphv ransomware gang and the Kimsuky group.
An analysis of ‘exp.exe’ indicated that it is a privilege escalation tool based on the exploitation of CVE-2022-24521 – a vulnerability in the Windows Common Log File System (CLFS) Driver, known to be used by several ransomware groups.
Afin de se latéraliser, les opérateurs du MOA ont tenté, sans succès, d’exploiter les vulnérabilités PrintNightmare (CVE-2021-34527), BlueKeep (CVE-2019-0708), puis ZeroLogon (CVE-2020-1472) via l’outil Mimikatz.
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
Groups observed using it
15 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The KeeLoader used in the attack installed Cobalt Strike, and its watermark, 678358251, was found to be indirectly related to BlackCat and BlackBasta.
In mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation. By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers.
Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty, Zeppelin, and Quantum Locker.
The BlackCat (or ALPHV) ransomware came to prominence in late 2021 and is the first known ransomware to be written in the Rust programming language.
These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)
GOLD HARVEST has been known to operate as a ransomware affiliate, deploying ALPHV ransomware in attacks on MGM Resorts in 2023 and reportedly using RansomHub in attacks throughout 2024.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
BlackCat also spawns a number of its own processes, with syntax (for Windows) as follows: WMIC.exe ... cmd.exe ... reg.exe ... vssadmin.exe ... arp -a
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
4 techniques
Persistence
Current data indicates primary delivery of BlackCat is via 3rd party framework/toolset (e.g., Cobalt Strike) or via exposed (and vulnerable) applications.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
7 techniques
Stealth
MITRE ATT&CK T1027.002 – Obfuscated Files or Information: Software Packing
The ALPHV threat group is an early adopter of extortion schemes such as threatening victims with DDoS attacks, leaking exfiltrated data online...
Current data indicates primary delivery of BlackCat is via 3rd party framework/toolset (e.g., Cobalt Strike) or via exposed (and vulnerable) applications.
Defense Impairment
1 technique
Defense Impairment
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Immediately upon launch, the malware will attempt to validate the existence of the previously mentioned access-token, followed by querying for the system UUID (wmic).
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
Exfiltration
3 techniques
Exfiltration
The current version of Qyick does not have data exfiltration capabilities. However, lucrostm has announced that future versions will feature execution of arbitrary executable code, meant primarily for the execution of data exfiltration capabilities.
Impact
5 techniques
Impact
By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads... This activity targets both Windows and Unix/Linux endpoints and VMware hypervisors using a variant of ALPHV/BlackCat.
BlackCat attempts to delete VSS (Volume Shadow Copies)... cmd.exe (vssadmin.exe) /c "vssadmin.exe delete shadows /all /quiet" ... wmic.exe Shadowcopy Delete ... bcdedit.exe /set {default} recoveryenabled No
The ALPHV threat group is an early adopter of extortion schemes such as threatening victims with DDoS attacks...
In one instance, the three men extorted a victim for roughly $1.2 million in Bitcoin and then split the proceeds. | Starting in April of that year, while working as a negotiator on behalf of five ransomware victims, Martino shared confidential information with BlackCat attackers about his clients’ positions and strategies to help maximize their ransom payments. That information included details such as victims’ insurance policy limits and other internal negotiation positions.
IOCs tracked for this family
248 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-based ransomware family that targets ESXi environments; the report links it to the MGM Resorts 2023 attack.
BlackCat is referenced as a major ransomware brand whose disruption coincided with INC's rise.
Named ransomware family referenced only in a related-content teaser; no operational details are provided in the main article.
Named ransomware family referenced as a third-party payload used by Vice Society and as a disrupted operation whose shutdown created room for INC to expand.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.