ALPHV/BlackCat: Who, What, Where, Why, How

Chad Warner
4 min readAug 11, 2022

--

ALPHV (aka BlackCat) is a Ransomware-as-a-Service (RaaS). The threat group behind it (also referred to as ALPHV or BlackCat) has made headlines in 2021 and 2022 due to the number of organizations it has hit, its quadruple extortion scheme, its unusual use of the Rust programming language, and its publishing searchable data dumps.

Photo by Adél Grőber on Unsplash

Who?

ALPHV (aka BlackCat, Noberus, AlphaVM, and AphaV) is ransomware, but these names are also used for the Russian-speaking group behind the ransomware, which has compromised over 100 organizations.

Those organizations include OilTanking GmbH, a German fuel company, Swissport, a Swiss aviation company, Moncler, an Italian fashion company, and Bandai Namco, a Japanese game and toy company.

ALPHV has been associated with the ransomware groups DarkSide (which hit the Colonial Pipeline) and BlackMatter (a rebrand of DarkSide) due to similar designs, shared developers and money launderers, and statements by a LockBit representative on cybercriminal forums. ALPHV may not be a rebrand of BlackMatter, but it seems to include people who were previously members of BlackMatter and DarkSide.

What?

ALPHV has hit organizations in energy, finance, legal services, and technology.

The group’s RaaS uses a “quadruple extortion” scheme:

  • Encryption: Victims must pay to regain access to encrypted data and systems.
  • Data theft: Threat actors release sensitive data if they don’t receive a ransom.
  • Denial of Service (DoS): Threat actors launch DoS attacks that bring down the victim’s public websites.
  • Harassment: Threat actors tell the victim’s customers, business partners, and employees, and the media, about the breach.

ALPHV launched a website called ALPHV Collections which makes data it has exfiltrated easily viewable and searchable. This site is on the open web, not the dark web, unlike many leak sites from other ransomware groups.

Where?

ALPHV members speak Russian, but their exact locations are unknown, and they may be located in multiple nations.

When?

ALPHV was first observed in November 2021, and it made headlines in 2022 by hitting many organizations, using the Rust programming language, and releasing ALPHV Collection, a site of searchable data dumps.

Why?

Based on their use of ransomware and high ransom demands (up to $2.5 million), it appears ALPHV is financially motivated.

How?

ALPHV stands out in that its ransomware is written in the Rust programming language, considered more secure than other languages. Most ransomware is written in JavaScript or C++. The use of Rust may be to make the ransomware better at evading detection, to avoid code similarities with other malware, and/or for better performance.

Because the ALPHV ransomware is RaaS, it’s used by affiliates. The malware gains initial access by using previously stolen user credentials, or by exploiting unpatched Microsoft Exchange servers. It uses PowerShell scripts, Windows administrative tools, Microsoft Sysinternals tools, and Cobalt Strike. The malware evades and disables security defenses. It compromises Active Directory user and administrator accounts. It uses Windows Task Scheduler to configure malicious GPOs to deploy ransomware. It establishes persistent access by avoiding shutting down critical processes or damaging critical application folders.

The malware exfiltrates data from on-premise systems and cloud systems before executing the ransomware, which encrypts the data, then prompts the victim to pay a ransom for the decryption tool and to prevent the leak of the stolen data.

Regardless of the affiliate behind the attack, all victims are directed to one ALPHV dark web site for ransom negotiations. Affiliates have requested ransom payments of several million dollars in Bitcoin and Monero, though they’ve accepted reduced payments.

This article’s author, Chad Warner, is seeking a cybersecurity job, preferably in cyber threat intelligence (CTI) or OSINT. Please contact him if you know of any openings.

Additional Resources

--

--

Chad Warner

Seeking a cybersecurity job, preferably in cyber threat intelligence (CTI) or OSINT. CTI, OSINT, & cybersecurity enthusiast, bookworm, fan of Tolkien & LEGO.