BlackCat, also known as ALPHV and sometimes Noberus, is a ransomware family run as a service where core developers recruit affiliates to carry out attacks. It first appeared in late 2021 and quickly became active across multiple sectors. The malware is written in Rust, which helps it run on Windows and Linux systems and makes analysis trickier for some security tools. A later variant, sometimes called “Sphynx,” is described as faster and more efficient.
Security researchers track BlackCat under several names: ALPHV, AlphaVM, and Noberus. Reporting links parts of the crew to earlier groups like DarkSide and BlackMatter. The operation follows a ransomware-as-a-service model, offering unusually high revenue shares to affiliates.
BlackCat campaigns have hit organizations in healthcare, finance, government, education, manufacturing, energy, and technology, among others. Targeting within the CIS region is discouraged by operators.
Affiliates use a mix of methods to get in: phishing emails, stolen or weak credentials, exposed RDP or VPN services, unpatched public-facing applications, and malvertising that poses as downloads for popular software. Once a foothold exists, delivery can involve tools like Cobalt Strike, with living-off-the-land binaries for discovery and lateral movement.
After entry, BlackCat encrypts files across servers and endpoints and can delete Windows Volume Shadow Copies to block easy recovery. Samples may require an “access token” parameter at run time to frustrate analysis. The malware supports Windows and Linux, including attacks on VMware ESXi hosts, and can spread to remote hosts via tools such as PsExec.
BlackCat is known for double and triple extortion. Operators both encrypt data and steal it, then pressure victims by threatening public leaks. In some cases they add DDoS threats to increase leverage. A public leak site has been used to publish stolen data and showcase compromises.
BlackCat supports multiple strong ciphers, using schemes such as ChaCha20 for content and RSA for key protection, and sometimes AES-256. Campaigns often append unique or random file extensions. Ransom notes commonly use names like RECOVER-<random>-NOTES.txt, with links directing victims to a Tor-based payment portal.
Watch for sudden deletion of shadow copies, new scheduled tasks, unusual PowerShell activity, unexpected outbound connections, and the appearance of customized ransom notes or changed file extensions such as .alphv.
Defensive measures
Recommended practices include microsegmentation to limit lateral movement, strong identity controls with MFA, security awareness training that covers phishing, regular patching, and tested offline or off-network backups. Data loss prevention and modern endpoint detection can help spot exfiltration or block behaviors during early stages.
On December 19, 2023, the FBI announced a disruption of BlackCat operations and released decryption support for victims. After that announcement, primary operations were described as dormant, although the broader ecosystem continues to evolve.
DISCLAIMER: Acquire.Fi is the listing and advertising platform for Web3 businesses and does not certify or verify the information provided to the platform by the business owners. Acquire.FI LTD (Acquire.Fi) does not hold itself out as providing any legal, financial or other advice. Acquire.Fi also does not make any recommendation or endorsement as to any investment, advisor or other service or product or to any material submitted by third parties to Acquire.Fi. Acquire.Fi is not a licensed crypto asset service provider for the purpose of EU regulation. The following list is compiled from Acquire Fi partners. Acquire fi is not a licensed crypto asset service provider for the purpose of EU regulation.
Have queries? Reach out to us on the email below!
team@acquire.fi
.webp)