{
	"id": "7a9e7d82-b332-4fb5-8556-66967f03ed3c",
	"created_at": "2026-05-05T02:45:18.991538Z",
	"updated_at": "2026-05-05T02:46:36.878623Z",
	"deleted_at": null,
	"sha1_hash": "2670ae0e44b3c5332dd99fa4713d822af9354126",
	"title": "BlackCat Ransomware: Tactics, Techniques \u0026 Mitigation Strategies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2361134,
	"plain_text": "BlackCat Ransomware: Tactics, Techniques \u0026 Mitigation\r\nStrategies\r\nArchived: 2026-05-05 02:06:30 UTC\r\nIn February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, faced every company’s worst\r\nnightmare. Attackers struck swiftly, encrypted vital patient data, and demanded an eye-watering ransom of $22\r\nmillion. Even after paying the ransom, Change Healthcare did not get its data back.\r\nBehind this attack was BlackCat, also known as ALPHV, a ransomware group notorious for its ruthless efficiency,\r\ncunning affiliate tactics, and aggressive pursuit of high-value targets. Despite global crackdowns and arrests,\r\nransomware poses the greatest cybersecurity threat in 2025. Underground forums continue to thrive, selling\r\n“access” and hiring “penetration testers”.\r\nIn this article, you’ll learn the latest intelligence on BlackCat ransomware – its evolution, extortion methods,\r\nnotable attacks across industries, and the defensive strategies your organization can adopt today to detect, prevent,\r\nand respond to ransomware threats.\r\nImages used by ALPHV in the beginning\r\nhttps://blog.group-ib.com/blackcat\r\nPage 1 of 32\n\nUpdated logo\r\nKey Discoveries:\r\nBlackCat (ALPHV) surfaced in late 2021 and quickly became the second most prolific global ransomware\r\nstrain, responsible for hundreds of millions in extorted payments.\r\nBlackCat operates as a Ransomware-as-a-Service (RaaS) with affiliates adopting whatever intrusion\r\ntechniques yield results, including social engineering and malvertising.\r\nIn just a few years, BlackCat’s operators and affiliates have hit organizations from healthcare and\r\nhospitality to critical infrastructure, leaving a trail of encrypted systems and stolen data in their wake.\r\nBlackCat affiliates routinely engage in double extortion, stealing sensitive information and threatening to\r\npublish it if the ransom isn’t paid. Some affiliates have even layered in DDoS attack threats to coerce\r\npayment.\r\nIn 2024, the group grabbed headlines with one of the largest data breaches in history and even appeared to\r\n“shut down” amid internal turmoil, only to reemerge under a new guise.\r\nA similar Rust-based ransomware called “Cicada3301” appeared six months after, which cybersecurity\r\nanalysts suspect is BlackCat 2.0 operating under a new name.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 2 of 32\n\nAdvanced threat intelligence and detection solutions are helping organizations to identify and block BlackCat\r\noperations early. In an incident, strong offline backups and an incident response plan can reduce BlackCat’s\r\nimpact\r\nWhat is BlackCat (ALPHV) Ransomware?\r\nBlackCat operates as a Ransomware-as-a-Service (RaaS) model and is considered one of the most sophisticated\r\nRaaS operations. The Russian ransomware group emerged shortly after the BlackMatter/DarkSide shut down in\r\n2021, suggesting a possible regrouping of veteran hackers under the ALPHV brand.\r\nSecurity researchers unofficially called it BlackCat for using two logos: a black cat and a knife dripping with\r\nblood. ALPHV members later attempted to move away from romanticizing crime by changing the design of their\r\nlogo, but the name BlackCat has stuck.\r\nBlackCat started its activity in December 2021, when a campaign to attract new affiliates was advertised on\r\nunderground forums. Not only was it led by experienced operators, but BlackCat’s malware was written in the\r\nRust programming language – one of the first significant ransomware families. Rust’s efficiency and cross-platform capabilities enabled the developers to add custom features and hinder reverse engineering.\r\nDescription of the affiliate program on an underground forum\r\nTranslation\r\narrow_drop_down\r\nINTRO\r\nWelcome to our affiliate program.\r\nWe’ve taken into account all the advantages and weaknesses of previous affiliate programs and are proud to\r\nhttps://blog.group-ib.com/blackcat\r\nPage 3 of 32\n\npresent to you ALPHV, a new generation of ransomware.\r\nAll the software has been developed from scratch, with decentralization of all web resources ensured\r\narchitecturally. A unique onion domain is generated for every new campaign. Every affiliate has access through a\r\nunique onion domain (hello lockbit).\r\nA proprietary data center for storing file leaks bigger than 100 TB.\r\nTop recovery companies, which have worked with darkside, revil, etc. are already collaborating with us.\r\nChat support is available 24/7, but you can negotiate yourself if you’d like.\r\nSECURITY\r\nWe are fully prepared for present-day conditions, complying with all infrastructure and affiliate security\r\nrequirements. Our affiliate program architecturally rules out any connections with forums(hello revil), has\r\nalgorithms for data self-deletion after a certain time, and has an integrated mixer with an actual break in the\r\nchain(not to be confused with Wasabi, BitMix, and others), as you get perfectly clean coins from foreign\r\nexchanges. Our backend does not know the wallets your coins are sent to. The infrastructure is divided into\r\n“nodes”, which are interconnected via an entire network of intermediaries within the onion network and are\r\nlocated behind NAT+FW.\r\nEven after receiving a full-on cmdshell, the attacker cannot reveal the real IP address of the server (hello conti)\r\nACCOUNT\r\nIf your account has not been active for two weeks, it will be locked, then deleted. Inorder to avoid that, we\r\nrecommend notifying the admins about vacations, breaks, etc.\r\nRates are dynamic and depend on the size of a single payment for each company, namely:\r\nUp to $1.5M – 80%\r\nUp to $3.0M – 85%\r\n$3M and more – 90%\r\nIn this campaign, potential affiliates were offered a brand new kind of ransomware family developed “from\r\nscratch” in the Rust programming language, which is a popular cross-platform programming language for creating\r\nsecure and effective applications.  The use of Rust to create ransomware was a major event in the world of\r\ncybercrime.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 4 of 32\n\nDescription of the BlackCat ransomware family\r\nTranslation\r\narrow_drop_down\r\nSOFTWARE\r\nThe software has been developed from scratch without using any templates or leaked source codes of other\r\nransomware. You can choose between:\r\n4 encryption modes:\r\nFull – full file encryption. The most secure and the slowest.\r\nFast – encryption of the first N megabytes. Not recommended, the least secure option, but the fastest.\r\nDotPattern – encryption of N megabytes with an M interval. May function worse than Fast in terms of both\r\nspeed and encryption strength if configured incorrectly.\r\nAuto. Depending on the file type and size, the locker(both in windows and *nix / esxi) chooses the most\r\noptimal(in terms of the speed / security ratio) strategy for processing files.\r\nSmartPattern – encryption of N megabytes with a percentage interval. By default, it encrypts with 10-\r\nmegabyte blocks with an interval of 10% of the file starting with the header. The most optimal mode in\r\nterms of the speed\\encryption strength ratio.\r\n2 encryption algorithms:\r\nhttps://blog.group-ib.com/blackcat\r\nPage 5 of 32\n\nChaCha20\r\nAES\r\nIn auto mode, the software determines the presence of hardware support for AES(present in all modern\r\nprocessors) and uses it. If there is no AES support, the software encrypts files using ChaCha20.\r\nThe software is cross-platform, i.e., if you mount Windows disks in Linux or vice versa, the decryptor will be able\r\nto decrypt files.\r\nSupported OSs\r\nThe entire Windows line from Windows 7 and above (we tested it on 7, 8.1, 10, 11, 2008r2, 2012, 2016,\r\n2019, 2022 ); XP and 2003 can be encrypted through SMB.\r\nESXI (tested on 5.5, 6.5, 7.0.2u)\r\nDebian (tested on 7, 8, 9)\r\nUbuntu (tested on 18.04, 20.04)\r\nReadyNAS, Synology\r\nThe new RaaS program took into account the hostile experience of their predecessors, namely the DarkSide,\r\nBlackMatter, and REvil affiliate programs. After their notorious attacks against major companies, these groups\r\ncame under the spotlight of security researchers and law enforcers, who, together with samples, obtained access to\r\nvictims’ pages containing correspondence with threat actors, where they often interfered.\r\nInformation about using access tokens\r\nTranslation\r\narrow_drop_down\r\nSince binaries have been leaking to analysts lately, and VT premium lets you download samples and get readmes,\r\nrandom people may appear in chats and disrupt negotiations (hello darkside), when launching the software you\r\nMUST use the flag –access-token. cmdline arguments are not passed to AVs, which will ensure that your\r\ncorrespondence with the victim is confidential. For the same reason, every encrypted computer generates a unique\r\nID used for dividing chats.\r\nThere is a feature for uploading files from the MEGA service, you provide a link to files and they are\r\nautomatically uploaded to your servers.\r\nThe complete description of all features can be found in the FAQ section.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 6 of 32\n\nTo avoid previous mistakes, the BlackCat authors fitted ransomware with a mandatory command line parameter\r\ncontaining an access token provided by the RaaS owners to their affiliates and their ransomware suite.\r\nThe ransomware uses the access token to determine the access key, which is added to a Tor link for the victim to\r\naccess their page.\r\nContents of the help text file provided to RaaS affiliates\r\nThis link is saved in the ransom note, which is created as a text file in each catalog with encrypted files.\r\nRansom note\r\nWhen victims published information from their chats, BlackCat affiliates would punish them by increasing the\r\nransom demands. At the start of their activity, the threat actors were even more radical; for instance, they deleted\r\nthe victim’s encryption keys to intimidate future victims.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 7 of 32\n\nInformation about deleting the encryption keys of a victim published by BlackCat operators\r\nhttps://blog.group-ib.com/blackcat\r\nPage 8 of 32\n\nVictim’s personal page\r\nBlackCat Extortion Methods\r\nDouble/Triple Extortion and Leak Sites\r\nA hallmark of BlackCat’s operations is the use of double extortion and triple extortion techniques:\r\nThe stolen information is published on BlackCat’s Dedicated Leak Site (DLS).\r\nTo mount pressure on the victim, BlackCat affiliates may threaten to send sensitive data to the victim’s\r\ncompetitors, partners, customers, mass media, law enforcement, etc.\r\nBlackCat ransomware victims may receive threats of a DDoS attack launched against their infrastructure to\r\nextort higher payments, on top of data leaks.\r\nThe gang prefers cryptocurrency (BTC or Monero) for payment , and negotiations are conducted via an\r\nencrypted chat hosted on a unique onion domain assigned to each victim.\r\nU.S. authorities report that BlackCat targeted over 1,000 organizations worldwide in its first 18 months of activity.\r\nIn 2022, BlackCat launched “ALPHV Collections,” a searchable leak platform on the open web (with a clearnet\r\ndomain) that indexed victim data for anyone to browse. BlackCat’s leaked data was indexed on the open web,\r\nmaking it easily accessible to the public and search engines.\r\nIn some cases, the gang went further by leaking files on public websites, impersonating the victim’s own domain\r\n(using lookalike/typosquatting URLs), a tactic intended to draw even more attention to the breach. BlackCat’s leak\r\nsite entries provide proof documents and a short, threatening description of the breach, openly shaming the victim.\r\nA joint FBI/CISA alert noted that from December 2023 to February 2024, BlackCat’s leak site listed nearly 70\r\nnew victims, with the healthcare sector the most commonly victimized. Additionally, our investigators have found\r\nthat BlackCat operators increasingly allude to auctioning stolen data or selling it to competitors if the victim balks.\r\nAs published in Group-IB’s Ransomware Readiness white paper, BlackCat was responsible for 427 known\r\nransomware attacks in 2023, where victim data was posted on leak sites, making it the second most active group\r\nthat year (behind only LockBit’s 1,079 incidents).\r\nBlackCat had also unveiled a public data leak API on its site, allowing anyone to fetch updates about new victims\r\nand leaked files automatically. This helped to amplify the visibility of BlackCat’s leaks when ransom negotiations\r\nfaltered (e.g., after a high-profile victim like Estée Lauder refused to pay).\r\nThe FBI’s December 2023 operation, notably, provided many victims with a free decryptor, undermining\r\nBlackCat’s leverage. In response, BlackCat’s admin raged on their blog and encouraged hitting more healthcare\r\ntargets (viewed as more likely to pay quickly).\r\nhttps://blog.group-ib.com/blackcat\r\nPage 9 of 32\n\nChat with a victim\r\nAt the time of writing, the stolen documents of 93 affected companies that refused to pay a ransom were published\r\non BlackCat’s DLS. We estimate that the overall number of BlackCat victims since December 2021 is about\r\n140.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 10 of 32\n\nIn some cases, BlackCat affiliates have flipped the script entirely by forgoing encryption. For example, in\r\nFebruary 2023, BlackCat claimed to have breached Reddit and stolen around 80 GB of data without deploying\r\nransomware. They demanded $4.5 million and an end to Reddit’s planned API pricing changes as “ransom,”\r\nthreatening to leak the stolen internal data.\r\nThis “data kidnapping” approach shows that if encrypting a target’s systems is too difficult or not the goal,\r\nBlackCat will simply steal valuable data and use the fear of a leak as leverage, even if no ransomware is deployed.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 11 of 32\n\nBlackCat Ransomware Affiliates – Tactics, Techniques and Procedures\r\nhttps://blog.group-ib.com/blackcat\r\nPage 12 of 32\n\nBlackCat affiliates were behind some of the most brazen social engineering attacks of 2023, including the high-profile breach of MGM Resorts. In another significant case, Caesars Entertainment was targeted by Scattered\r\nSpider, a group closely associated with ALPHV.\r\n1. Gaining Access to the Network\r\nSince a single affiliate program may involve different threat actors, techniques used for obtaining initial access\r\nmay differ. Further, affiliates may use the services of initial access brokers, who sell access to companies’\r\ncompromised infrastructures.\r\nAs part of investigating security incidents, we have seen the following techniques:\r\n1. Exploiting public-facing applications.\r\nThis technique gained popularity in 2021 among both affiliates and initial access brokers due to a lot of\r\nvulnerabilities being discovered that allowed arbitrary code execution in a variety of applications. In the\r\ncase of BlackCat, the attackers exploited a set of vulnerabilities known as ProxyShell (CVE-2021-34473,\r\nCVE-2021-34523, CVE-2021-31207), which enabled them to place a web shell on a vulnerable Microsoft\r\nExchange server and then conduct post-exploitation activities.\r\n2. Using remote access tools.\r\nAccess via publicly accessible terminal servers remains the most popular technique for gaining initial\r\naccess and BlackCat affiliates used it in some cases. In addition to terminal servers, access to the target\r\ninfrastructure could be gained via a VPN; many organizations still do not use multifactor authentication,\r\nwhich enables ransomware operators to easily use accounts whose data have been stolen using stealers, for\r\nexample.\r\n3. Malvertising and cloning legitimate websitesAffiliates set up fake websites (or hijack real ones) to host\r\ntrojanized software or credential stealers. They then run malicious ads or search engine poisoning to draw\r\nin victims looking for popular software cracks or tools.When an unwitting user downloads the payload, it\r\ninstalls a backdoor or keylogger that the attackers later use to pivot into the corporate network. This\r\ntechnique allows BlackCat to compromise companies with poor web filtering and might not fall for direct\r\nphishing.\r\n2. Establishing Foothold\r\nHaving obtained initial access, the attackers copy a set of tools (in full or in part) to the compromised host and\r\nseek to ensure persistence and gain access to privileged accounts to be able to move across the network.\r\n1. For additional capabilities to access the compromised network, the attackers could use tunnels built using\r\nngrok or gost, or software such as TeamViewer or ScreenConnect.\r\n2. Attackers also install backdoors or C2 beacons for persistent access. For example, they deploy a Cobalt\r\nStrike Beacon or CSharp-Streamer RAT.\r\n3. In most incidents, BlackCat affiliates relied on legitimate tools to extract authentication data by dumping\r\nthe LSASS (Local Security Authority Server Service) process. For instance, the threat actors used\r\nProcDump and exploited the MiniDump feature of the legitimate library comsvcs.dll.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 13 of 32\n\n4. Some attackers went beyond LSASS and used various NirSoft tools to extract authentication data from the\r\nregistry, web browsers, and other storage spaces.\r\n3. Network Discovery\r\nHaving established a beachhead, BlackCat affiliates map out the victim’s network. They need to identify what\r\nmachines are present, how they’re connected, and which ones hold vital data or critical services.\r\nAttackers often start with classic network scanning commands and discovery tools:\r\n1. SoftPerfect Network Scanner scans the network, a popular tool among ransomware groups.\r\n2. ADRecon collects information about Active Directory, another standard tool among REvil and\r\nBlackMatter affiliates.\r\n3. To collect data about available local and network drives, the NS tool is especially popular with affiliates\r\nthat use terminal servers to gain initial access.\r\nKey Assets Discovery, Network Propagation and Data Exfiltration\r\nWith enough privileges in the target IT infrastructure, the attackers start moving to key nodes, which will enable\r\nthem to download the most important information and do away with backups.\r\n1. BlackCat affiliates use legitimate techniques (such as RDP) and noisier ones (e.g., Impacket: wmiexec\r\nand smbexec in particular; and Cobalt Strike) to move across the network.\r\n2. PuTTY is often used to gain access to the part of the infrastructure running on Linux.\r\n3. Before being exfiltrated, data is archived using 7-Zip and uploaded to the MEGA file sharing service\r\nusing the Rclone utility.\r\n4. In some cases, affiliates used ExMatter, an exfiltration tool that was seen earlier in the arsenal of\r\nBlackMatter affiliates. \r\nDeployment Preparation\r\nBlackCat ransomware deployment is preceded by the erasure or encryption of available backup copies and\r\ncollection of additional credentials that would allow the attackers to infect the Linux segment, in addition to\r\nWindows.\r\nDespite the detectability of BlackCat samples not being high, some affiliates seek to disable antivirus software\r\nbefore moving on to the deployment stage.\r\nBlackCat Ransomware Deployment\r\nThe propagation of BlackCat in the victim’s IT infrastructure is achieved by either modifying group policies\r\n(which results in a scheduled task being created, on each host, that launches the malicious file) or using PsExec.\r\nThe ransomware is written in Rust. Many researchers rightfully consider BlackCat as one of the most\r\nsophisticated ransomware groups out there at the moment. BlackCat programs are feature-rich and offer flexible\r\ncustom settings due to the use of various configuration data and command line arguments.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 14 of 32\n\nThere are BlackCat versions for Windows (32bit) and Linux (32bit and 64bit). The 64bit Linux version primarily\r\ntargets ESXi servers. In March 2022, a new version of BlackCat emerged, called ALPHV MORPH. On\r\nunderground forums its authors proudly claimed that thanks to obfuscation, antivirus software is practically unable\r\nto detect it.\r\nDescription of ALPHV MORPHV features on an underground forum\r\nTranslation\r\narrow_drop_down\r\nLOCKER\r\n1. We are proud to present ALPHV MORPH. Without going into the spicy details, we inform that the binary is\r\ncompletely cleared every hour. In addition to recrypting calls, stings, and other things, the RUST compiler makes\r\nit possible to enrich every build with unique runtime junk, which in the end yielded fantastic results. At the\r\nmoment, no AV detects it(not to be confused with edr! we did not test it on sentinel), including defender with the\r\ncloud disabled – the binary is not deleted even after the machine is fully encrypted. In test mode so far,\r\nintentionally(!), it is available to everyone via Build-\u003eObfuscated. In the future, this functionality will only be\r\navailable to affiliates with the + status.\r\n2. Minor fixes in the locker’s operation.\r\np.s. There is no AV for ESXI yet, but we already have a linux polymorph 🙂 That’s right, linux is also morphed\r\nevery hour just because we can.\r\nIt has been mentioned before that launching BlackCat ransomware requires specifying the value of an access\r\ntoken in the command line parameter — access-token.\r\nIn earlier versions, whether the token value is correct was not checked, while the access key is calculated\r\nusing the entered token value; the program will be launched, and files will be encrypted, but accessing the\r\nvictim’s panel would be impossible.\r\nIn the ALPHV MORPH version, the first 16 characters of the access token are used as a key to decrypt\r\nconfiguration data, which is why, if incorrect data is entered, the ransomware will not start.\r\nTo bypass User Account Control (UAC), BlackCat escalates privileges using the ICMLuaUtil COM\r\ninterface. Privileges can also be escalated using the Masquerade PEB method.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 15 of 32\n\nBlackCat ransomware may attempt to authenticate using stolen credentials contained in configuration data.\r\nWhen launched, BlackCat allows symbolic links from a deleted item to local and remote items:\r\nfsutil behavior set SymlinkEvaluation R2L:1 fsutil behavior set SymlinkEvaluation R2R:1\r\nStops IIS by executing the following command:\r\niisreset.exe /stop\r\nDeletes volume shadow copies:\r\nvssadmin.exe Delete Shadows /all /quiet wmic.exe Shadowcopy Delete\r\nDisables recovery in Windows boot menu:\r\nbcdedit /set {default} bcdedit /set {default} recoveryenabled No\r\nClears Windows event logs:\r\nfor /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"\r\nIn addition, the ransomware ends processes and stops services specified in the configuration.\r\nIt should be noted that BlackCat for Windows can independently propagate itself in the local area network as a\r\nnetwork worm. To do so, the legitimate PsExec utility contained in the body of the ransomware is used together\r\nwith stolen credentials specified in the configuration.\r\nFile encryption is multi-threaded. The AES 128 CTR or ChaCha20 algorithm can be used too encrypt file\r\ncontents depending on the settings, with nonce vectors containing 8 or 12 null bytes respectively. In addition,\r\nvarious file encryption modes can be used; below are their brief descriptions.\r\nAvailable command line parameters\r\nhttps://blog.group-ib.com/blackcat\r\nPage 16 of 32\n\nParameter Description\r\n-h, –help Displays information about command line parameters.\r\n-p, –paths … Encrypts files at paths specified in this parameter.\r\n-v, –verbose Shows a report in the console.\r\n–access-token\r\nSpecifies an access token (ACCESS_TOKEN). This is used to form an access key\r\n(ACCESS_KEY) that is used for creating a link for the victim to access their personal page.\r\nIn the ALPHV MORPH versions, the first 16 characters of ACCESS_TOKEN are used as a\r\nkey to decrypt (AES-128 CTR) the ransomware configuration data.\r\n–bypass … This parameter is not used.\r\n–child Launches the ransomware as a child process.\r\n–drag-and-drop\r\nLaunches the ransomware in drag-and-drop mode.\r\n–drop-drag-and-drop-target\r\nExtracts a BAT file, to which objects that are to be encrypted can be dragged in drag-and-drop mode. The template for the BAT file is in the body of the ransomware in a compressed\r\nformat (Deflate). In the ALPHV MORPH versions the template is additionally encrypted\r\n(AES128 CTR).\r\n–extra-verbose Shows a more detailed report.\r\n–log-file Outputs a report to a specified file.\r\n–no-net Ensure that files on available network resources are not encrypted.\r\n–no-prop\r\nEnsures that the ransomware does not self-propagate. For self-propagation, the PsExec\r\nutility is used together with credentials specified in the value of the configuration data\r\nparameter “credentials”. The PsExec utility is in the body of the ransomware in a\r\ncompressed format (Deflate). In ALPHV MORPH it is also encrypted (AES128 CTR).\r\n–no-prop-servers …\r\nA list of servers excluded during self-propagation.\r\n–no-vm-kill Ensures that virtual machines are not stopped.\r\n–no-vm-kill-names …\r\nA list of names of virtual machines that are not stopped.\r\n–no-vm-snapshot-kill\r\nEnsures that virtual machine snapshots are not destroyed.\r\n–no-wall Ensures that the desktop wallpaper is not updated.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 17 of 32\n\nParameter Description\r\n–propagated Launches the ransomware in self-propagation (worm) mode.\r\n–ui Launch the ransomware with a graphical interface displaying the encryption progress.\r\nBlackCat configuration data is contained in the body of the ransomware in the JSON format. In earlier\r\nBlackCat versions, the configuration data was in plain text, while in the latest versions (ALPHV MORPH), it is\r\nstored in an encrypted form (AES-128 CTR). For decryption, the first 16 characters of the access token are used as\r\nthe key. If the characters are entered incorrectly, the ransomware will not be able to run due to a configuration data\r\nerror.\r\nFormatted BlackCat configuration data\r\nParameter Description\r\nconfig_id Configuration identifier\r\npublic_key A Base64-encoded RSA public key in the DER format.\r\nextension Extension of encrypted files / victim identifier.\r\nnote_file_name Name of a text file with a ransom note.\r\nnote_full_text Template for a full ransom note text.\r\nnote_short_text Template for a short ransom note text used for desktop wallpapers.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 18 of 32\n\nParameter Description\r\ndefault_file_mode (DotPattern,\r\nHeadOnly, SmartPattern,\r\nAdvancedSmartPattern, Full, Auto)\r\nDefault file encryption mode. DotPattern – encryption with blocks\r\nwith an interval. HeadOnly – encryption of the initial part.\r\nSmartPattern – encryption with blocks with an interval based on\r\npercentage of the file size. AdvancedSmartPattern – encryption with\r\nblocks with an interval based on the file size with advanced settings.\r\nFull – full encryption of file contents. Auto – automatic selection of\r\nthe file encryption method based on the file type and size.\r\ndefault_file_cipher (Best, Aes,\r\nChaCha20)\r\nDefault file encryption algorithm. Best – if there is hardware support\r\nfor AES (AES-NI), files are encrypted using AES-128 CTR,\r\notherwise, using ChaCha20.\r\ncredentials List of stolen credentials of the victim.\r\nkill_services List of services to be stopped.\r\nkill_processes List of substrings with names of processes to be ended.\r\nexclude_directory_names List of directory names excluded during encryption.\r\nexclude_file_names List of file names excluded during encryption.\r\nexclude_file_extensions List of file extensions excluded during encryption.\r\nexclude_file_path_wildcard List of file path wildcards excluded during encryption.\r\nenable_network_discovery (true,\r\nfalse)\r\nEncrypts files on available network resources.\r\nenable_self_propagation (true, false)\r\nEnables self-propagation in the network (worm mode). The PsExec\r\nutility and credentials specified in the value of the parameter\r\n“credentials” are used for the propagation process.\r\nenable_set_wallpaper (true, false)\r\nSets an image with a message about files being encrypted as a\r\nwallpaper.\r\nenable_esxi_vm_kill (true, false) Stops virtual machines.\r\nenable_esxi_vm_snapshot_kill (true,\r\nfalse)\r\nDestroys virtual machine snapshots.\r\nstrict_include_paths List of paths for encrypting files.\r\nesxi_vm_kill_exclude Whitelist of virtual machine names.\r\nIt must be noted that despite some of the group’s methods being sophisticated, many tactics, techniques and\r\nprocedures employed by BlackCat affiliates can be easily detected, which indicates serious flaws in\r\nhttps://blog.group-ib.com/blackcat\r\nPage 19 of 32\n\norganizations’ security systems as well as a shortage of skilled security specialists.\r\nAdditional information\r\nMITRE ATT\u0026CK®\r\nTactic Technique Description\r\nTA0001\r\nInitial Access\r\nT1190 Exploit Public-Facing\r\nApplication\r\nIn a number of attacks, the threat actors used\r\nProxyShell vulnerablilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).\r\nT1133 External Remote Services\r\nAs an initial attack vector, insecure RDP and VPNs\r\nmay be used.\r\nT1078 Valid Accounts\r\nBlackCat affiliates may purchase access to their\r\nvictim’s network infrastructure on underground\r\nforums.\r\nTA0002\r\nExecution\r\nT1106 Native API BlackCat ransomware uses Native API.\r\nT1053 Scheduled Task/Job\r\nWhen deploying ransomware in the victim’s network\r\ninfrastructure, BlackCat affiliates may exploit group\r\npolicies, which results in a scheduled task being\r\ncreated (on each host) that launches the ransomware.\r\nT1059.001 Command and\r\nScripting Interpreter: PowerShell\r\nThe attackers may use PowerShell scripts when\r\ndeploying ransomware in the victim’s network,\r\ndisabling security tools, and encrypting files.\r\nT1059.003 Command and\r\nScripting Interpreter: Windows\r\nCommand Shell\r\nFor stopping IIS, deleting Volume Shadow Copies,\r\ndisabling recovery, clearing Windows event logs, etc.,\r\nthe BlackCat ransomware uses the command shell to\r\nrun appropriate commands.\r\nT1047 Windows Management\r\nInstrumentation\r\nThe attackers may use wmic to obtain information and\r\nrun various commands, including to delete Volume\r\nShadow Copies. They may also use the wmiexec\r\nmodule from Impacket to execute commands and move\r\nacross the network.\r\nT1569.002 System Services:\r\nService Execution\r\nThe BlackCat ranswomare for Windows can self-propagate in the local area network using the legitimate\r\nPsExec utility (contained in its body), which creates a\r\ntemporary system service.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 20 of 32\n\nTactic Technique Description\r\nTA0003\r\nPersistence\r\nT1505 Server Software\r\nComponent\r\nSuccessfully exploiting ProxyShell vulnerabilities\r\nenabled the attackers to place a web shell on a\r\nvulnerable Microsoft Exchange server.\r\nT1078 Valid Accounts\r\nLegitimate accounts obtained by the attackers can be\r\nused to ensure persistence in the compromised\r\ninfrastructure.\r\nTA0004\r\nPrivilege\r\nEscalation\r\nT1078 Valid Accounts\r\nTo escalate privileges, BlackCat may use stolen\r\nlegitimate accounts specified in the configuration data.\r\nT1548.002 Abuse Elevation\r\nControl Mechanism: Bypass\r\nUser Account Control\r\nTo bypass UAC, BlackCat ransomware may escalate\r\nprivileges using the ICMLuaUtil COM interface, as\r\nwell as use the Masquerade PEB method.\r\nT1134.002 Access Token\r\nManipulation: Create Process\r\nwith Token\r\nTo escalate privileges, the BlackCat ransomware can\r\nlaunch its process using stolen authentication data and\r\nthe function CreateProcessWithLogonW.\r\nTA0005\r\nDefense\r\nEvasion\r\nT1548.002 Abuse Elevation\r\nControl Mechanism: Bypass\r\nUser Account Control\r\nThe attackers may bypass UAC using the ICMLuaUtil\r\nCOM interface, as well as use the Masquerade PEB\r\nmethod.\r\nT1140 Deobfuscate/Decode Files\r\nor Information\r\nBlackCat decrypts configuration data as well as\r\ndecrypts and unpacks the legitimate PsExec utility and\r\nan additional BAT file contained in the body of the\r\nransomware.\r\nT1027 Obfuscated Files or\r\nInformation\r\nBlackCat ransomware uses obfuscation.\r\nT1562.001 Impair Defenses:\r\nDisable or Modify Tools\r\nTo prevent being detected, the attackers end processes\r\nand services related to security and antivirus software.\r\nT1497 Virtualization/Sandbox\r\nEvasion\r\nTo counter analysis (including in a sandbox), ALPHV\r\nMORPH checks the value of the command line\r\nparameter access-token. Its value must contain correct\r\nfirst 16 characters used to decrypt BlackCat\r\nconfiguration data.\r\nT1070.001 Indicator Removal on\r\nHost: Clear Windows Event Logs\r\nBy using wevtutil, BlackCat can clear all Windows\r\nevent logs on a compromised host.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 21 of 32\n\nTactic Technique Description\r\nT1036 Masquerading\r\nThe attackers use a SoftPerfect Network Scanner\r\nexecutable renamed to svchost.exe.\r\nT1112 Modify Registry\r\nTo propagate, BlackCat uses PsExec to modify the\r\nsystem registry parameter MaxMpxCt to increase the\r\nnumber of failed network requests for each client.\r\nTA0006\r\nCredential\r\nAccess\r\nT1003.001 OS Credential\r\nDumping: LSASS Memory\r\nTo obtain authentication data, the attackers may dump\r\nthe LSASS process using legitimate tools (procdump,\r\ncomsvcs.dll).\r\nT1552 Unsecured Credentials\r\nTo obtain authentication data from the registry and\r\nfiles, the attackers may use NirSoft utilities.\r\nT1555 Credentials from\r\nPassword Stores\r\nTo extract authentication data from web browsers and\r\nother storage spaces the attackers may use NirSoft\r\nutilities.\r\nTA0007\r\nDiscovery\r\nT1018 Remote System\r\nDiscovery\r\nTo enumerate domain hosts, the attackers used the\r\nADRecon tool.\r\nT1069.002 Permission Groups\r\nDiscovery: Local Groups\r\nTo obtain information about local and domain user\r\ngroups, the attackers used the ADRecon tool.\r\nT1069.002 Permission Groups\r\nDiscovery: Local Groups\r\nT1069.002 Permission Groups\r\nDiscovery: Domain Groups\r\nT1087.001 Account Discovery:\r\nLocal Account\r\nTo obtain information about local and domain\r\naccounts, the attackers used the ADRecon tool.\r\nT1087.002 Account Discovery:\r\nDomain Account\r\nT1482 Domain Trust Discovery\r\nTo obtain information about domain trust, the attackers\r\nused the ADRecon tool.\r\nT1046 Network Service\r\nScanning\r\nTo scan the target network, the attackers use the open-source utility SoftPerfect Network Scanner.\r\nT1135 Network Share Discovery\r\nTo search for network shares, the attackers use the\r\nopen-source utility SoftPerfect Network Scanner.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 22 of 32\n\nTactic Technique Description\r\nT1016 System Network\r\nConfiguration Discovery\r\nFor network reconnaissance, the attackers use the\r\nopen-source utility SoftPerfect Network Scanner.\r\nT1082 System Information\r\nDiscovery\r\nBlackCat uses wmic to obtain the UUID of the\r\ncompromised host.\r\nT1057 Process Discovery\r\nBlackMatter enumerates all running processes to\r\nsearch for ones relating to security, backups, databases,\r\nemail systems, office programs, etc.\r\nT1007 System Service Discovery\r\nBlackCat enumerates system services to search for\r\nones relating to security, backups, and databases.\r\nT1083 File and Directory\r\nDiscovery\r\nThe attackers enumerate drives, directories, and files to\r\nsearch for sensitive information for exfiltration\r\npurposes.\r\nTA0008\r\nLateral\r\nMovement\r\nT1021.001 Remote Services:\r\nRemote Desktop Protocol\r\nThe attackers may use RDP to move across the\r\nnetwork.\r\nT1021.002 Remote Services:\r\nSMB/Windows Admin Shares\r\nAfter obtaining privileged authentication data, in order\r\nto spread over the local area network and access\r\nnetwork resources, the attackers may use the PsExec\r\nutility, as well as the psexec, wmiexec and smbexec\r\nmodules from Impacket.\r\nT1021.004 Remote Services:\r\nSSH\r\nTo access parts of the infrastructure running on Linux,\r\nthe attackers use the PuTTY utility.\r\nT1570 Lateral Tool Transfer\r\nMoving across the victim’s network and deploying\r\nransomware involves copying related tools to the host.\r\nThe BlackCat ransomware can self-propagate in the\r\nnetwork by using the legitimate PsExec utility\r\ncontained in its body.\r\nTA0009\r\nCollection\r\nT1560.001 Archive Collected\r\nData: Archive via Utility\r\nBefore being exfiltrated, data may be put in archives\r\nusing 7-Zip.\r\nT1005 Data from Local System\r\nThe attackers collect information from the local system\r\nfor exfiltration purposes.\r\nT1039 Data from Network\r\nShared Drive\r\nThe attackers collect information from available\r\nnetwork resources for exfiltration purposes.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 23 of 32\n\nTactic Technique Description\r\nT1074 Data Staged\r\nBefore exfiltration, the attackers may put collected data\r\nin 7Zip archives.\r\nT1119 Automated collection\r\nThe attackers use ExMatter, a tool for automated\r\ncollection of sensitive information.\r\nTA0011\r\nCommand\r\nand Control\r\nT1071 Application Layer\r\nProtocol\r\nRemote access tools used by the attackers may use\r\napplication layer protocols (HTTP, HTTPS, DNS).\r\nT1105 Ingress Tool Transfer\r\nAfter gaining initial access, the attackers copy tools\r\nnecessary for deployment to the compromised host.\r\nT1572 Protocol Tunneling\r\nTo access the compromised system, the attackers may\r\nuse tunnels built using ngrok or gost.\r\nT1573 Encrypted Channel\r\nTo remotely access the compromised infrastructure, the\r\nattackers may use Cobalt Strike, TeamViewer and\r\nScreenConnect, which perform asymmetric/symmetric\r\nencryption of the C\u0026C server communication channel.\r\nT1219 Remote Access Software\r\nTo remotely access the compromised infrastructure, the\r\nattackers may use the legitimate tools TeamViewer and\r\nScreenConnect.\r\nTA0010\r\nExfiltration\r\nT1041 Exfiltration Over C2\r\nChannel\r\nWhen the attackers use Cobalt Strike, the collected\r\ninformation may be sent via Cobalt Strike server\r\ncommunication channels.\r\nT1048.002 Exfiltration Over\r\nAlternative Protocol: Exfiltration\r\nOver Asymmetric Encrypted\r\nNon-C2 Protocol\r\nThe attackers may use the ExMatter exfiltration tool,\r\nwhich sends stolen data to SFTP and WebDav\r\nresources specified in the ExMatter configuration.\r\nT1567.002 Exfiltration Over Web\r\nService: Exfiltration to Cloud\r\nStorage\r\nThe attackers use the Rclone synchronization utility to\r\nupload stolen data to the legitimate cloud storage\r\nservice MEGA.\r\nT1020 Automated Exfiltration\r\nAfter access has been gained, files from target hosts\r\nare automatically uploaded to the legitimate cloud\r\nstorage service MEGA using the Rclone utility.\r\nT1030 Data Transfer Size Limits\r\nTo prevent exceeding the size limits of the data being\r\nsent and triggering security controls, the stolen data\r\nmay be sent in fixed-size blocks.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 24 of 32\n\nTactic Technique Description\r\nTA0040\r\nImpact\r\nT1486Data Encrypted for Impact\r\nBlackCat encrypts the contents of files in the local\r\nsystem as well as on available network resources.\r\nT1489 Service Stop\r\nBlackCat stops security, backup, database, email and\r\nother services specified in the configuration.\r\nT1490 Inhibit System Recovery\r\nBlackCat deletes Windows Volume Shadow Copies\r\nusing vssadmin and wmic, disables recovery in the\r\nWindows boot menu using bccedit, and empties\r\nRecycle Bin. BlackCat can stop backup services.\r\nBlackCat can destroy virtual machine snapshots.\r\nT1485Data Destruction\r\nIf credentials for accessing a chat with the victim are\r\nleaked, BlackCat affiliates may delete encryption keys,\r\nwhich will render decrypting the files impossible.\r\nT1498 Network Denial of\r\nService\r\nIf the victim refuses to pay a ransom, BlackCat may\r\ncarry out DDoS attacks against the victim’s\r\ninfrastructure.\r\nNotable BlackCat Attacks and Affected Industries\r\nBlackCat/ALPHV targets large enterprises and institutions that use sensitive data or critical services. Below,\r\nwe’ve highlighted a few high-profile incidents demonstrating the group’s devastating impact and preferred targets.\r\nChange Healthcare – Healthcare (Feb 2024)\r\nHospitals and health providers are seen as high-value targets (with lives and patient care at stake), which\r\nransomware groups tend to exploit. In February 2024, BlackCat infiltrated Change Healthcare, causing system\r\noutages in claims processing and pharmacy services nationwide. BlackCat attackers stole data on 190 million\r\nindividuals, including insurance member IDs, diagnoses, and Social Security numbers, making it the most\r\nsignificant healthcare breach in U.S. history and BlackCat’s most notorious attack.\r\nA $22 million ransom was paid to prevent the release of the stolen data. However, the BlackCat ransomware\r\ngroup performed an exit scam, pocketed the ransom payment, and didn’t pay the affiliate who conducted the\r\nattack. The affiliate then worked with another ransomware group, RansomHub, which attempted to extort Change\r\nHealthcare further. No additional ransom payments were made, and the stolen data remains in the hands of\r\ncybercriminals.\r\nIn a 2023 incident that parallels the attack on Change Healthcare, BlackCat infiltrated a system used for radiation\r\noncology, exfiltrating clinical photographs of breast cancer patients. When Lehigh Valley Health Network\r\n(LVHN) refused to pay the ransom, BlackCat escalated its tactics by publishing the nude images on its dark web\r\nhttps://blog.group-ib.com/blackcat\r\nPage 25 of 32\n\nleak site, a new low in ransomware extortion strategies. In response, LVHN agreed to a $65 million class action\r\nsettlement (one of the largest per-capita settlements in a healthcare data breach case).\r\nMGM Resorts International – Hospitality/Gambling (Sep 2023)\r\nIn a highly publicized incident, BlackCat (in partnership with the social-engineering group Scattered Spider)\r\nattacked MGM, one of the largest casino resort operators. In a full compromise, BlackCat and Scattered Spider\r\nstole customer data, including names, SSNs, driver’s licenses, and passport numbers.\r\nThe initial breach was achieved via a phone call to MGM’s IT helpdesk, tricking an employee into revealing\r\ncredentials. Once inside, the attackers deployed ransomware that forced MGM to shut down IT systems across all\r\nits Las Vegas properties as a containment measure.\r\nMGM disclosed that the business impact was over $100 million in lost revenue and remediation costs.\r\nInterestingly, MGM refused to pay the ransom, attempting to recover on its own, which likely contributed to the\r\nprolonged outage.\r\nCaesars Entertainment – Hospitality/Gambling (Sep 2023)\r\nJust days before the MGM hack became public, Caesars Entertainment was hit by a similar attack. Caesars\r\nadmitted in an SEC filing that hackers (believed to be the same BlackCat/Scattered Spider team) accessed its\r\nnetwork via a third-party IT vendor compromise and stole customer data, including many loyalty program\r\nmember records.\r\nTo avoid MGM’s fate, Caesars paid the attackers $15 million of the demanded $30 million ransom. The quick\r\npayment apparently prevented the encryption of Caesars’ systems—in contrast to MGM, Caesars experienced no\r\nmajor downtime. However, tens of millions of customer records were stolen. This pair of casino attacks raised\r\nalarm in corporate boardrooms worldwide about ransomware groups’ potency of social engineering tactics.\r\nOur incident response team, having handled hundreds of ransomware cases, finds it remarkable. “Companies are\r\npouring hundreds of millions of dollars into sophisticated defenses—preventive security, threat detection, endpoint\r\nresponse, you name it. Yet attackers are still breaking in using the simplest methods imaginable: Click this link\r\nand enter your credentials. Sometimes the weakest link isn’t technical – it’s human.”\r\nReddit – Technology/Social Media (Feb 2023)\r\nAs mentioned earlier in the article, BlackCat claimed responsibility for a breach of Reddit in 2023. In Reddit’s\r\ncase, an employee was phished, compromising internal documents and source code.\r\nBlackCat attackers demanded $4.5 million and the rollback of Reddit’s API pricing changes (a rare instance of a\r\nquasi-political demand). Reddit did not pay, and BlackCat leaked some of the stolen data on its site.\r\nWhile the platform wasn’t taken down (no ransomware deployed), the Reddit hack serves as a wake-up call for\r\nother companies to bolster their cybersecurity measures, train their employees regularly, and consider\r\ncybersecurity implications in their business decisions.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 26 of 32\n\nEstée Lauder – Consumer Goods (July 2023)\r\nBlackCat infiltrated Estée Lauder, a global cosmetics company, in July 2023. In a curious twist, Estée Lauder was\r\nconcurrently hit by the Clop ransomware via a supply-chain (MOVEit) vulnerability. Both BlackCat and Clop\r\nclaimed responsibility for the breach. BlackCat’s involvement included accessing the corporate network and\r\nexfiltrating data.\r\nGroup-IB investigators find the overlap of two major ransomware groups in one incident to be unusual and\r\npossibly coincidental. Furthermore, we observe a widening gap between cybersecurity measures and real digital\r\nmaturity, where an organization can fall victim to multiple actors if multiple vulnerabilities exist.\r\nCritical Infrastructure and Government\r\nAs further indication that no industry is off-limits, BlackCat/ALPHV ransomware and Conti hackers were said to\r\nhave been behind the February 2022 cyberattacks that affected oil transport and storage companies across Europe.\r\nAt the same time, large-scale cyberattacks have also targeted port facilities in Belgium, Germany, and the\r\nNetherlands.\r\nIT systems were disrupted at SEA-Invest in Belgium and Evos in the Netherlands, and there are further reports\r\nthat BlackCat ransomware has compromised systems at Oiltanking GmbH Group and Mabanaft Group in\r\nGermany. This wave of attacks is reminiscent of DarkSide’s ransomware attack on Colonial Pipeline, a major U.S.\r\nfuel pipeline operator.\r\nIn another BlackCat attack, EPM (a Colombian energy supplier) was forced to halt operations after falling victim\r\nto the ransomware group. A DOJ 2023 press release later reported BlackCat had impacted networks that support\r\nU.S. government agencies and critical infrastructure, including sectors like transportation or manufacturing.\r\nA pattern emerges: ALPHV’s sting is felt across industries like healthcare, retail, hospitality, technology, and\r\ngovernment. While not all incidents come to light, we believe that BlackCat affiliates are prowling for high-value\r\n(and lucrative) targets that can’t afford downtime. The geographic reach is also broad, including the U.S., Europe,\r\nand Asia. That said, BlackCat and its affiliates are Russian-speaking and avoid attacking CIS (former Soviet)\r\ncountries by code design, as is common with ransomware from that region.\r\nThe key takeaway from these incidents is that BlackCat attacks lead to multi-faceted crises: operational\r\ndisruption, data breach notification, regulatory fines, customer lawsuits, and steep recovery costs. Many victims\r\nsuffer extortion twice (paying ransom and dealing with data breach fallout).\r\nBlackCat Ransomware Exit Scam and Rebranding\r\nBlackCat’s trajectory took a dramatic turn in March 2024 after the massive $22 million ransom payment from\r\nChange Healthcare. Shortly after the payoff, BlackCat closed its leak site and announced the sale of its RaaS\r\nsource code for USD 5 million.\r\nThe gang announced that its infrastructure had been compromised by “the feds,” even putting up a seizure\r\nmessage. In reality, this proved to be a ruse. In our Ransomware Readiness white paper, Group-IB threat\r\nintelligence analysts note that BlackCat pretended the FBI seized its site as cover for an exit scam.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 27 of 32\n\nLaw enforcement actions around the same time (the U.S. DOJ reported seizing BlackCat servers in late 2023) may\r\nhave contributed to pressure, but the catalyst for BlackCat’s shutdown appears to have been greed—the\r\nadministrators cashing out after their record-breaking ransom success. This betrayal caused BlackCat affiliates to\r\nmigrate to other ransomware programs to continue their attacks.\r\nA few months after BlackCat’s so-called “goodbye,” a suspiciously familiar ransomware operation surfaced. A\r\nnew RaaS group calling itself Cicada3301 began advertising on darknet forums and listing its first victims.\r\nWhile some believe this may be a rebrand, it’s difficult to say for sure whether Cicada3301 fully adopted the\r\nALPHV/BlackCat ransomware codebase. It’s more plausible that the group borrowed specific functionalities,\r\nsuch as anti-recovery commands, rather than integrating the full source code.\r\nThough code-level similarities exist, distinct differences point to a partial reuse rather than a full clone. That said,\r\nif anyone did get their hands on ALPHV’s source, Cicada3301 appears to be the most likely candidate.\r\nOur researchers observed that Cicada3301’s malware bore strong code-level similarities to BlackCat’s. Both were\r\nwritten in Rust, targeted Windows/Linux/ESXi, and even shared particular functionality (e.g., using the same\r\nmethods to halt VMs and clear logs).\r\nDiscover how Group-IB’s threat intelligence analysts infiltrated the Cicada3301 Ransomware group in 2024.\r\nKey observations: Compared to BlackCat’s brazen attacks, Cicada3301 targets mostly smaller businesses via\r\ncommon attack vectors like exposed RDP (using stolen or weak credentials). Given the heat on BlackCat, this\r\ncould be an attempt to stay under law enforcement’s radar.\r\nAccording to Group-IB’s High-Tech Crime Trends 2025 report, BlackCat’s exit scam (along with a similar scam\r\nby the NoEscape gang) undermined confidence among ransomware affiliates. Our analysts believe this could lead\r\nto affiliates being quicker to jump ship or demanding more decentralized control to avoid being left empty-handed.\r\nWe may also see new groups and extortion models rise to fill the vacuum. Indeed, within months of BlackCat’s\r\ndisappearance, multiple new RaaS brands (like Cicada3301 and others) were already on the scene. Organizations\r\ntoday must be vigilant as threat actors shift identities and tactics in response to mounting legal pressure.\r\nDefensive Strategies Against BlackCat Ransomware\r\nBelow are key defensive recommendations and best practices informed by recent ransomware incidents and\r\nGroup-IB’s frontline cyber threat investigations:\r\n1. Strengthen Authentication and Access Controls\r\nSince BlackCat often gained entry via stolen or weak credentials, organizations should enforce multi-factor\r\nauthentication (MFA) on all remote access and sensitive accounts.\r\nUse phishing-resistant MFA like hardware security keys (FIDO2/WebAuthn) or certificate-based\r\nauthentication. Traditional OTP apps or push MFA can be compromised by SIM swapping or push fatigue\r\nhttps://blog.group-ib.com/blackcat\r\nPage 28 of 32\n\ntactics that BlackCat affiliates use\r\n.\r\nEnsure that MFA is enabled for VPNs, RDP gateways, email, and administrative accounts.\r\nPasswords should never be reused across services. Implementing password managers and regularly rotating\r\nprivileged credentials can help reduce the risk of credential dumps.\r\nPractice the principle of least privilege through an identity and access management system (IAM).\r\nPrivileged access management (PAM) solutions create additional authentication barriers for admin access\r\nand isolate privileged sessions, making it harder for attackers to leap from an employee account to a\r\ndomain admin account.\r\n2. Improve User Awareness\r\nGroup-IB has identified several “persuasive” emails and text messages used by BlackCat with legitimate-sounding\r\ndetails (e.g., package delivery notices) to lure users. Given these cunning social engineering tactics, we\r\nrecommend prioritizing user awareness training as your cybersecurity defense’s critical, human-centered layer.\r\nConduct regular security awareness training covering phishing, spear-phishing, and phone-based scams.\r\nTeach staff how to verify unsolicited contacts claiming to be IT support, and to be wary of any message\r\nurging urgent action on their account.\r\nSimulate monthly phishing attacks to test employees – this can identify who might need extra training.\r\nEnsure there’s a 24/7 open channel for employees to report suspected phishing or strange IT requests.\r\n3. Close Common Entry Points\r\nBlackCat actively targets known vulnerabilities in external-facing systems, making patch management a key\r\ndefensive strategy.\r\nPrioritize patching any vulnerabilities known to be exploited in the wild (CISA’s database of exploited\r\nvulnerabilities is a good guide).\r\nMitigate Exchange bugs like ProxyShell, update remote desktop services, and apply fixes for any widely\r\nused software (VPNs, virtualization, etc.).\r\nIf a system cannot be patched immediately, consider taking it offline or applying interim mitigation (like\r\ndisabling an affected feature or adding WAF rules).\r\nAttack surface management solutions help prioritize remediation tasks with threat intelligence insights.\r\nSecurity teams can continuously scan the entire IPv4 space and beyond to identify all Internet-facing\r\nassets, including shadow IT, forgotten infrastructure, and misconfigurations that may expose an internal\r\nasset to the open web.\r\nUse network segmentation to separate critical servers (databases, domain controllers, and backups) from\r\nthe user network.\r\n4. Detect and Respond to Intrusions Quickly\r\nDeploy advanced Endpoint Detection and Response (EDR) tools on servers and workstations.\r\nEDR can catch suspicious behavior, such as credential dumping, unusual PowerShell execution, or a\r\nransomware binary trying to mass-encrypt files. Advanced EDR solutions can even halt encryption in\r\nhttps://blog.group-ib.com/blackcat\r\nPage 29 of 32\n\nprogress.\r\nEnsure that logging is enabled and centralized. Windows Event Logs (especially Security logs, Sysmon\r\nlogs), firewall logs, VPN access logs, and DNS logs should feed into a SIEM or monitoring system where\r\nalerts can be generated.\r\nUse fraud protection behavioral analytics to flag anomalies, such as an account logging in at odd hours, an\r\nadmin tool running on a non-admin machine, or a workstation suddenly initiating connections to dozens of\r\nother PCs or to an IP in a foreign country.\r\nConduct regular incident response drills (tabletop exercises and live simulations) for a ransomware\r\nscenario. The speed of BlackCat’s encryption (often minutes to an hour for an enterprise) means every\r\nsecond counts once an attack is detected. Ensure your team knows how to isolate an infected machine\r\nquickly, disconnect from the VPN or domain to stop propagation, and activate backups.\r\nGroup-IB recommends exercising your security program against behaviors mapped to frameworks like\r\nMITRE ATT\u0026CK to validate that your controls can detect or prevent those techniques.\r\n5. Protect and Isolate Backups\r\nFollow the 3-2-1 backup rule by keeping at least three copies of critical data, on two different media, with one\r\ncopy offline and offsite.\r\nRansomware cannot access offline (immutable) backups. You can use disk or cloud backup services that\r\noffer immutability (write-once-read-many storage).\r\nEnsure backup admin interfaces are not exposed to the general network and that MFA is required to access\r\nthem. Segment backup systems from the domain if possible (so domain admin creds alone can’t delete\r\nbackups).\r\nImplement delayed deletion for cloud backups (so that if an attacker tries to delete them, they remain\r\nrecoverable for a period).\r\nSecure backup credentials. BlackCat ransomware analysis shows that attackers have tools to extract backup\r\nsoftware passwords, so use strong, unique credentials for backup systems and monitor login attempts to\r\nthose consoles.\r\nIf using Windows Shadow Copies, you can monitor or lock the VSS admin functions to prevent\r\nunauthorized deletion. In the event of an incident, having intact backups that ransomware groups couldn’t\r\nencrypt will reduce the temptation to pay a ransom.\r\n6. Incident Response and External Support\r\nIf, despite all efforts, your organization ends up in an attacker’s crosshairs, ensure you have a strong Incident\r\nResponse (IR) plan ready.\r\nYour incident response plan must clearly define steps for technical containment (like network isolation and\r\nimmediate password resets), internal and external communications, legal protocols, and interactions with\r\nlaw enforcement.\r\nMaintain an incident response retainer with cybersecurity firms where dedicated IR specialists can assist in\r\ncomprehensive analysis, containment, and remediation to restore operations fast.\r\nhttps://blog.group-ib.com/blackcat\r\nPage 30 of 32\n\nFor an accurate assessment of your organization’s current readiness, Group-IB’s Cybersecurity Ultimate\r\nAssessment Guide helps you evaluate your security posture, uncover vulnerabilities, and take decisive actions to\r\nstrengthen defenses against emerging threats.\r\nHow Group-IB Helps Organizations Stay Ahead of Ransomware\r\nAs ransomware groups continue to innovate, Group-IB has helped organizations create a resilient and secure\r\nenvironment through strategic threat intelligence and expert incident response.\r\nHere’s how our approach works to defend against and outrun threats like BlackCat:\r\n1. Early warning: Group-IB Threat Intelligence Platform (with over 850 threat actor profiles) helps you to\r\nunderstand ransomware trends and anticipate attacks by monitoring dark web forums, leak sites, and\r\nmalware developments. You’ll receive actionable insights into attacker behaviors to strengthen your\r\ndefenses against emerging ransomware tactics.\r\n2. 24/7 threat monitoring and detection: For real-time defense, our Managed Extended Detection and\r\nResponse (XDR) is built with threat hunting and intel to monitor your endpoints, network, and cloud. We\r\ncan detect early signs of ransomware, like unusual admin activities, and isolate affected systems, evicting\r\nadversaries before they detonate ransomware. To guarantee peace of mind, an expert Compromise\r\nAssessment can identify hidden threats and cybersecurity gaps that could lead to incidents in the future.\r\n3. Reduce potential attack surface: Our external Attack Surface Management solution scans and assesses\r\nexternal-facing assets for weaknesses. It will highlight exposed RDP ports, out-of-date VPN appliances, or\r\nforgotten websites that could serve as entry points.\r\n4. Secure email gateways: Many ransomware attacks start with a phishing email. You can block phishing\r\nattempts before they reach employees with Business Email Protection, which recognizes phishing domains\r\nor malware attachments.\r\n5. Restore business continuity: In the event of an attack, the Group-IB Incident Response team can jump in\r\nto identify the intrusion vector, secure the network, and help restore systems. Our goal is to minimize\r\ndowntime and data loss. This includes negotiating with threat actors, coordinating with law enforcement,\r\nand leveraging available decryption tools or keys.\r\nNo single tool or strategy can stop a sophisticated RaaS group like BlackCat, but a layered defense can raise the\r\ncost and difficulty of attack to the point where the adversary might turn tail, or move on to an easier target.\r\nRecognized by Gartner as a Representative Vendor in the Market Guide for Security Threat Intelligence Products\r\nand Services, Group-IB offers the industry’s most complete and detailed insights into threat actors and their\r\nactivities. We continuously update our tools and methodologies to integrate new detection analytics for malware\r\nvariants, or tracking the emergence of BlackCat rebrands like Cicada3301.\r\nWith the latest intelligence, robust security controls, and expert response capabilities, businesses can defend\r\nthemselves and significantly reduce the risk of falling victim. Explore Group-IB’s solutions for ransomware\r\nprotection to give your organization a decisive advantage.\r\nFAQs\r\nhttps://blog.group-ib.com/blackcat\r\nPage 31 of 32\n\nWhat is BlackCat ransomware?\r\nBlackCat ransomware (also known as ALPHV) is a sophisticated Ransomware-as-a-Service (RaaS) operation that\r\ntargets enterprises with double extortion tactics by encrypting data and threatening to leak it unless a ransom is\r\npaid.\r\nHow does BlackCat ransomware spread?\r\nBlackCat spreads through stolen credentials, phishing emails, VPN exploits, and Remote Desktop Protocol (RDP)\r\nattacks. It often uses social engineering or known vulnerabilities to gain initial access.\r\nWhat industries are most targeted by BlackCat?\r\nBlackCat ransomware attacks target industries where downtime or data breaches cause significant harm or\r\nfinancial loss, especially healthcare, hospitality, technology, energy, and critical infrastructure.\r\nWhat encryption techniques does BlackCat use?\r\nBlackCat uses strong AES and RSA encryption methods, customizing its payload to maximize impact across\r\nWindows, Linux, and ESXi systems during a ransomware attack.\r\nHow does BlackCat evade detection and security measures?\r\nTo evade threat detection, BlackCat disables security tools, clears logs, abuses legitimate admin tools, and\r\noperates stealthily using customized scripts and malware built in Rust.\r\nSource: https://blog.group-ib.com/blackcat\r\nhttps://blog.group-ib.com/blackcat\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/blackcat"
	],
	"report_names": [
		"blackcat"
	],
	"threat_actors": [],
	"ts_created_at": 1777949118,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2670ae0e44b3c5332dd99fa4713d822af9354126.pdf",
		"text": "https://archive.orkl.eu/2670ae0e44b3c5332dd99fa4713d822af9354126.txt",
		"img": "https://archive.orkl.eu/2670ae0e44b3c5332dd99fa4713d822af9354126.jpg"
	}
}