Threat Intelligence Lab

Blackcat ransomware (Alphv)

Alphv: A New Era of Cyber Threats

Written by

Reza Rafati
— in

ThreatIntelligenceLab.com

Alphv, also known as BlackCat, has become a significant cyber threat. Emerging in November 2021, it quickly made a name for itself. It uses the Rust language for better stealth and performance across Windows, Linux, and VMWare systems1​​​​.

BlackCat Ransomware Exit Scam

The BlackCat ransomware gang, known for its notorious cyberattacks, is reportedly pulling an exit scam.

This move involves shutting down operations and fleeing with the money meant for their affiliates, under the guise of an FBI seizure of their site and infrastructure. The group announced the closure of their project due to “the feds,” as stated on a hacker forum, although they offered no further details2.

BlackCat Ransomware Exit Scam
BlackCat Ransomware Exit Scam

Interestingly, a law enforcement agency, mentioned in the seizure banner, confirmed they had no part in any recent disruptions to ALPHV infrastructure, as reported by BleepingComputer. This revelation casts doubt on the gang’s claims of law enforcement intervention.

The operation seemed to start unraveling last Friday when their Tor data leak blog went offline, followed by the shutdown of their negotiation servers on Monday.

Affiliates have raised complaints, notably about a stolen $20 million ransom meant for Change Healthcare, hinting at internal conflicts and possible deceit within the group.

The ALPHV admin has offered the ransomware source code for a price of $5 million.

Who is Alphv?

Alphv uses a ransomware-as-a-service model. This approach has widened its global impact. The group employs advanced methods like the Emotet botnet and Log4J exploits for initial access. They also utilize Cobalt Strike for deeper network infiltration​​.

Alphv, also known as BlackCat

Alphv’s Attack Strategy

The group specializes in double extortion tactics. They steal data before encrypting systems, then demand ransoms in cryptocurrency. Their meticulous approach includes disabling recovery options and spreading across networks​​.

Global Footprint

Alphv has hit over a thousand organizations, causing widespread disruption3.

The United States has seen a large number of these attacks4.

Their diverse tactics make their operations challenging to defend against​​.

Law Enforcement Response

Efforts by law enforcement have led to some disruption5. The FBI developed a decryption tool, helping over 500 victims worldwide6. This has prevented about $68 million in ransom payments. However, Alphv remains a significant threat​​.

Reward for Information on ALPHV/BlackCat Activities

The U.S. Department of State has announced a significant reward for information regarding the BlackCat Ransomware group. They are offering up to $15 million in total rewards7:

  1. Leadership Identification Reward: Up to $10 million is available for details leading to the identification or location of individuals in key leadership positions within the group behind the ALPHV/BlackCat ransomware.
  2. Arrest and Conviction Reward: An additional reward of up to $5 million is available for information that leads to the arrest and/or conviction, in any country, of individuals involved in ALPHV/BlackCat ransomware activities.

TOR based tipline

he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion

Stay Protected

Organizations should stay updated with Alphv’s latest tactics. They should implement suggested cybersecurity measures. Staying vigilant and informed is key to defense against Alphv’s attacks​​​​.

  1. https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ ↩︎
  2. https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/ ↩︎
  3. https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-healthcare-sector-say-fbi-and-cisa ↩︎
  4. https://www.cisa.gov/news-events/alerts/2023/12/19/cisa-and-fbi-release-advisory-alphv-blackcat-affiliates ↩︎
  5. https://www.justice.gov/opa/media/1329536/dl ↩︎
  6. https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant ↩︎
  7. https://www.state.gov/reward-for-information-alphv-blackcat-ransomware-as-a-service/ ↩︎

Written by

Reza Rafati
Reza Rafati is an experienced cyber security professional. He is the founder of Threat Intelligence Lab. He has extensive experience in the field of cyber threat intelligence, cyber takedowns, and cyber threat landscapes.