BlackCat [offline]

BlackCat [offline]

Active Since

November 2021 (Inactive since March 2024)

Victims as of January 2024

730

Known Forum Aliases

alphv, BlackCat46, ransom

Active Forum Accounts

XSS, Exploit, Ramp

Top Targeted Geographies

US, UK, Canada

The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.

BlackCat is also suspected to have recruited former members of the REvil operation. It is noteworthy for being one of the first high-profile ransomware families to be written in Rust, a relatively modern programming language with features that make the malware harder to reverse engineer and defend against. It has also been reported that BlackCat lets its affiliates keep a larger share of the profits than other RaaS platforms. In February 2023 BlackCat announced the latest variant of its ransomware, named Sphynx.

BlackCat was ranked as one of the top three most prolific ransomware groups (by listed victims) in 2022 and 2023. Some of the group’s most notable listed victims from this year were Constellation Software, Sun Pharmaceuticals, Western Digital, Five Guys, and Reddit. BlackCat drew particular attention for its listing of MGM Casinos in September, which was attacked by its suspected affiliate, Scattered Spider.

It looked like the game might be up for BlackCat by the end of 2023, when the U.S. Department of Justice announced its disruption of the BlackCat ransomware gang in December, in collaboration with global law enforcement partners. The FBI shared a decryption tool to help victims to restore their systems and a seizure notice was displayed on BlackCat’s dark web leak site. However, the ransomware gang soon regained control of the site and down-played the significance of the law enforcement action and added victims to its new dark web leak site.

In March 2024 it was reported that BlackCat may have exit scammed after their dark web leak site went offline. The group claimed that it was closing the site and selling its source code in response to law enforcement action. However, in spite of the seizure notice that appeared on its leak site, agencies like the UK’s National Crime Agency denied any involvement in this takedown. Meanwhile, one of the group’s affiliates claimed on the RAMP cybercrime forum that BlackCat had taken the entire ransom from its attack on Change Healthcare, without sharing the profits – which has prompted the speculation that it has exit scammed. Its dark web leak site remains offline.

Threat Intelligence Report

More Groups, More Problems: Ransomware in 2023