BlackCat (cyber gang)

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments. For initial access, the ransomware relies essentially on stolen credentials obtained through initial access brokers. The group operates a public data leak site to pressure victims to pay ransom demands.

The group has targeted hundreds of organizations worldwide, including Reddit in 2023 and Change Healthcare in 2024. Since its first appearance, it is one of the most active ransomware.

As of February 2024, the U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/BlackCat ransomware gang leaders.

In March 2024, a representative for BlackCat claimed that the group is shutting down in the aftermath of the 2024 Change Healthcare ransomware attack.

Description
The group behind BlackCat utilizes mostly double extortion tactic but sometimes includes triple extortion which involves exposing exfiltrated data and threatening to launch distributed denial-of-service (DDoS) attacks on victims’ infrastructure.

BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero and have accepted ransom payments below the initial ransom demand amount. According to the FBI, many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

The group is known for being the first ransomware to create a public data leaks website on the open internet. Previous cyber gangs typically published stolen data on the dark web. BlackCat's innovation was to post excerpts or samples of victims' data on a site accessible to anyone with a web browser. Security experts believe the tactic is intended to demonstrate more credibility to their claims of breaching victims' systems and increase pressure on organizations to pay ransoms to prevent full public exposure of their data. The group also mimics its victims' websites to post stolen data on typo squatted replicas on the web.

In its early campaigns, Royal ransomware used the encryptor tool called "BlackCat".

Beginning (2021-2022)
The malware was first observed by researchers from the MalwareHunterTeam in mid-November 2021.

By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter. According to some experts, the ransomware might be a rebranding of DarkSide, after their May 2021 attack on the Colonial Pipeline. It might also be a successor to the REvil cybercriminal group which was dismantled in late 2021.

Throughout 2022, BlackCat compromised and extorted numerous high-profile organizations globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. Reported victims include Moncler, Swissport, North Carolina A&T, Florida International University, the Austrian state of Carinthia, Regina Public Schools, the city of Alexandria, the University of Pisa, Bandai Namco, Creos, Accelya, GSE, NJVC, EPM, and JAKKS Pacific.

In September 2022, a report noted that the ransomware was using the Emotet botnet.

In late May 2022, a European government was attacked and asked US$5 million in ransom.

Sphynx variant (2023)
At the beginning of the year 2023, Blackcat attacked Grupo Estrategas EMM, NextGen Healthcare, Solar Industries India, Instituto Federal Do Pará, Munster Technological University, and Lehigh Valley Health Network.

In February 2023, a variant called "Sphynx" was released with updates to increase speed and stealth. As of May 2023, the group is estimated to have targeted over 350 victims globally since its emergence.

In June 2023, the group claimed responsibility for a February 2023 breach of Reddit's systems. On their data leak site, they claimed that they stole 80 GB of compressed data and demanded a $4.5 million ransom from Reddit. This attack did not involve data encryption like typical ransomware campaigns.

Takedown (December 2023)
On December 19, 2023 the group's website was replaced with an image: a message from the FBI claiming "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”

The FBI announced that same day they had "disrupted" the ALPHV/BlackCat group by seizing multiple websites as well as releasing a decryption tool. The tool could be used by ransomware victims to decrypt their files without paying the ransom.

As of February 2024, U.S. Department of State is offering rewards of up to $10 million for leads that could identify or locate ALPHV/Blackcat ransomware gang leaders. They are offering an additional $5 million reward for tips on people who take part in ALPHV ransomware attacks.

Attack on Hong Kong's Consumer Council (May 2024)
In May 2024, The Standard (Hong Kong) reported that Hong Kong's Consumer Council had been the target of "a ransomware attack on its servers and endpoint devices" and that such an attack had been conducted by ALPHV.

Tactics and techniques
The gang uses Emotet botnet malware as an entry point. It also uses Log4J Auto Expl to propagate the ransomware laterally within the network.

Threat actors associated with BlackCat were observed using hijacked webpages of legitimate organizations to redirect users to pages hosting malware. The rogue WinSCP installer distributed a backdoor containing a Cobalt Strike Beacon for follow-on intrusion activities. The access afforded by Cobalt Strike was used to conduct reconnaissance, lateral movement, data exfiltration, and tampering with security software. The threat actors gained domain admin privileges and began setting up backdoors before the attack was discovered.

The group abuses Group Policy Objects (GPOs) to distribute malware and disable security controls across networks.

The malware uses tools like ExMatter to steal sensitive data before deploying ransomware to encrypt files.

The ransomware incorporates techniques like junk code and encrypted strings to avoid detection. Once executed, BlackCat performs network discovery to find more systems to infect, deletes volume shadow copies, encrypts files, and drops a ransom note demanding cryptocurrency.

MGM and Caesars
Scattered Spider, an affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV ) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts International and Caesars Entertainment, the two largest casino operators and gaming companies in Las Vegas and some of the largest in the world. The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. MGM, however, did not pay the ransom and instead shut down all systems for a period of weeks. This further affected MGM's online offerings, such as its sports betting platform BetMGM. The cyberattack on MGM led to a significant impact of $100 million on the company's financial performance for the third quarter of 2023.

Motel One
ALPHV was also used to conduct a ransomware attack against Motel One, though the company stated that its normal business operations were never at risk. The hackers were able to access some customer data and an estimated 150 credit cards.

Change Healthcare (UnitedHealth Group)
BlackCat was reported to be behind the 2024 Change Healthcare ransomware attack. Change Healthcare paid a $22 million ransom to recover data after the attack. However, a payment dispute between BlackCat and an affiliate involved with the attack has resulted in a BlackCat representative claiming that the group is shutting down and selling the source code for its ransomware products. This dispute has been viewed as a potential exit scam by the developers.