{
	"id": "3a0bc526-2f8e-4407-baa0-33539823fd14",
	"created_at": "2026-04-06T00:18:48.615693Z",
	"updated_at": "2026-04-10T03:29:39.746548Z",
	"deleted_at": null,
	"sha1_hash": "4148b478b65d67f6875f0bd868c52661da110390",
	"title": "#StopRansomware: ALPHV Blackcat | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 236533,
	"plain_text": "#StopRansomware: ALPHV Blackcat | CISA\r\nPublished: 2024-02-27 · Archived: 2026-04-05 19:36:12 UTC\r\n1. Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.\r\n2. Prioritize remediation of known exploited vulnerabilities.\r\n3. Enable and enforce multifactor authentication with strong passwords.\r\n4. Close unused ports and remove applications not deemed necessary for day-to-day operations.\r\nSUMMARY\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish\r\nadvisories for network defenders that detail various ransomware variants and ransomware threat actors. These\r\n#StopRansomware advisories include recently and historically observed tactics, techniques, and procedures\r\n(TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit\r\nstopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats\r\nand no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nDepartment of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and\r\nTTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations\r\nas recently as February 2024.\r\nThis advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise\r\nreleased April 19, 2022, and to this advisory released December 19, 2023. ALPHV Blackcat actors have since\r\nemployed improvised communication methods by creating victim-specific emails to notify of the initial\r\ncompromise. Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most\r\ncommonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its\r\naffiliates to target hospitals after operational action against the group and its infrastructure in early December\r\n2023.\r\nFBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the\r\nMitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data\r\nextortion incidents.\r\nIn February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx\r\nupdate, which was rewritten to provide additional features to affiliates, such as better defense evasion and\r\nadditional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices,\r\nand VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and\r\ndata extortion operations.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 1 of 8\n\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 14. See the MITRE\r\nATT\u0026CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK\r\ntactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework,\r\nsee CISA and MITRE ATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to\r\ngain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages [T1598\r\n] to obtain credentials from employees to access the target network [T1586 ]. ALPHV Blackcat affiliates use\r\nuniform resource locators (URLs) to live-chat with victims to convey demands and initiate processes to restore the\r\nvictims’ encrypted files.\r\nAfter gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as\r\nAnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. ALPHV Blackcat affiliates create a user\r\naccount, “aadmin,” and use Kerberos token generation for domain access [T1558 ]. After gaining access to\r\nnetworks, they use legitimate remote access and tunneling tools, such as Plink and Ngrok [S0508 ]. ALPHV\r\nBlackcat affiliates claim to use Brute Ratel C4 [S1063 ] and Cobalt Strike [S1054 ] as beacons to command\r\nand control servers. ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack [T1557 ]\r\nframework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login\r\ncredentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and\r\ndeleted backup servers to move laterally throughout the network [T1555 ].\r\nTo evade detection, affiliates employ allowlisted applications such as Metasploit. Once installed on the domain\r\ncontroller, the logs are cleared on the exchange server. Then Mega.nz or Dropbox are used to move, exfiltrate,\r\nand/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file.txt.\r\nAccording to public reporting, affiliates have additionally used POORTRY and STONESTOP to terminate security\r\nprocesses.\r\nSome ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying\r\nransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via\r\nTOR [S0183 ], Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s\r\nsystem.\r\nALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment,\r\noffering to provide victims with “vulnerability reports” and “security recommendations” detailing how they\r\npenetrated the system and how to prevent future re-victimization upon receipt of ransom payment. The ALPHV\r\nBlackcat encryptor results in a file with the following naming convention: RECOVER-(seven-digit extension)\r\nFILES.txt.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 2 of 8\n\nFigure 1: Ransom Note Instruction\r\nINDICATORS OF COMPROMISE (IOCs)\r\nTable 1: MD5 Hashes\r\nMD5 Description File Name\r\n944153fb9692634d6c70899b83676575 ALPHV Windows Encryptor  \r\n341d43d4d5c2e526cadd88ae8da70c1c Anti Virus Tools Killer 363.sys\r\n34aac5719824e5f13b80d6fe23cbfa07 CobaltStrike BEACON LMtool.exe\r\neea9ab1f36394769d65909f6ae81834b CobaltStrike BEACON Info.exe\r\n379bf8c60b091974f856f08475a03b04 ALPHV Linux Encryptor him\r\nebca4398e949286cb7f7f6c68c28e838 SimpleHelp Remote Management tool first.exe\r\nc04c386b945ccc04627d1a885b500edf Tunneler Tool conhost.exe\r\n824d0e31fd08220a25c06baee1044818 Anti Virus Tools Killer ibmModule.dll\r\neea9ab1f36394769d65909f6ae81834b CobaltStrike BEACON ConnectivityDiagnos.exe\r\n944153fb9692634d6c70899b83676575 ALPHV Windows Encryptor 7O3cCX9YcHMV2.exe\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 3 of 8\n\nMD5 Description File Name\r\n61804a029e9b1753d58a6bf0274c25a6 MeshCentral Agent WPEHOSTSVC64.exe\r\n83deea3b61b6a734e7e4a566dbb6bffa\r\nScreenConnect \u0026 attacker tools\r\ninstaller\r\ndeployService.exe\r\n8738b8637a20fa65c6e64d84d1cfe570 Suspected Proxy Tool socks32.exe\r\nTable 2: SHA256 Hashes\r\nSHA256 Description\r\nc64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16 ALPHV Windows Encryptor\r\n1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5 Anti Virus Tools Killer\r\n3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71 CobaltStrike BEACON\r\naf28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021 CobaltStrike BEACON\r\nbbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1 ALPHV Linux Encryptor\r\n5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905\r\nSimpleHelp Remote\r\nManagement tool\r\nbd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e Tunneler Tool\r\n732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0 Anti Virus Tools Killer\r\nTable 3: SHA1 Hashes\r\nSHA1 Description\r\n3dd0f674526f30729bced4271e6b7eb0bb890c52 ALPHV Windows Encryptor\r\nd6d442e8b3b0aef856ac86391e4a57bcb93c19ad Anti Virus Tools Killer\r\n6b52543e4097f7c39cc913d55c0044fcf673f6fc CobaltStrike BEACON\r\n004ba0454feb2c4033ff0bdb2ff67388af0c41b6 CobaltStrike BEACON\r\n430bd437162d4c60227288fa6a82cde8a5f87100 SimpleHelp Remote Management tool\r\n1376ac8b5a126bb163423948bd1c7f861b4bfe32 Tunneler Tool\r\n380f941f8047904607210add4c6da2da8f8cd398 Anti Virus Tools Killer\r\nTable 4: Network Indicators\r\nIndicator Type Network Indicator Description\r\nDomain resources.docusong[.]com Command and Control Server\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 4 of 8\n\nIndicator Type Network Indicator Description\r\nDomain Fisa99.screenconnect[.]com ScreenConnect Remote Access\r\nIP Address 5.199.168.24 Command and Control Server\r\nIP Address 91.92.254.193 SimpleHelp Remote Access\r\nDomain pcrendal[.]com Command and Control Server\r\nDomain instance-qqemas-relay[.]screenconnect[.]com ScreenConnect Remote Access\r\nDomain instance-rbjvws-relay.screenconnect[.]com ScreenConnect Remote Access\r\nIP Address 5.199.168[.]233 IP Address used by Threat Actor\r\nIP Address 92.223.89[.]55 IP Address used by Threat Actor\r\nIP Address 185.195.59[.]218 IP Address used by Threat Actor\r\nIP Address 51.159.103[.]112 IP Address used by Threat Actor\r\nIP Address 45.32.141[.]168 Command and Control Server\r\nIP Address 45.77.0[.]92 Command and Control Server\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee Table 5 through Table 7 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 5: ALPHV Blackcat/ALPHV Threat Actors ATT\u0026CK Techniques - Reconnaissance\r\nTechnique Title ID Use\r\nPhishing for\r\nInformation\r\nT1598\r\nALPHV Blackcat affiliates pose as company IT and/or helpdesk staff using\r\nphone calls or SMS messages to obtain credentials from employees to access\r\nthe target network.\r\nTable 6: ALPHV Blackcat/ALPHV Threat Actors ATT\u0026CK Techniques – Resource Development\r\nTechnique Title ID Use\r\nCompromise\r\nAccounts\r\nT1586 ALPHV Blackcat affiliates use compromised accounts to gain access to\r\nvictims’ networks.\r\nTable 7: ALPHV Blackcat/ALPHV Threat Actors ATT\u0026CK Techniques – Credential Access\r\nTechnique Title ID Use\r\nObtain Credentials\r\nfrom Passwords\r\nStores\r\nT1555 ALPHV Blackcat affiliates obtain passwords from local networks,\r\ndeleted servers, and domain controllers.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 5 of 8\n\nTechnique Title ID Use\r\nSteal or Force\r\nKerberos Tickets\r\nT1558 ALPHV Blackcat/ALPHV affiliates use Kerberos token generation for\r\ndomain access.\r\nAdversary-in-the-MiddleT1557\r\nALPHV Blackcat/ALPHV affiliates use the open-source framework\r\nEvilginx2 to obtain MFA credentials, login credentials, and session\r\ncookies for targeted networks.\r\nINCIDENT RESPONSE\r\nIf compromise is detected, organizations should:\r\n1. Quarantine or take offline potentially affected hosts.\r\n2. Reimage compromised hosts.\r\n3. Provision new account credentials.\r\n4. Collect and review artifacts such as running processes/services, unusual authentications, and recent\r\nnetwork connections.\r\n5. Report the compromise or phishing incident to CISA via CISA’s 24/7 Operations Center (report@cisa.gov\r\n or 1-844-Say-CISA). State, local, tribal, or territorial government entities can also report to MS-ISAC\r\n(SOC@cisecurity.org or 866-787-4722).\r\n6. To report spoofing or phishing attempts (or to report that you’ve been a victim), file a complaint with the\r\nFBI’s Internet Crime Complaint Center (IC3), or contact your local FBI Field Office to report an incident.\r\nMITIGATIONS\r\nThese mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and HHS\r\nrecommend that software manufactures incorporate secure by design principles and tactics into their software\r\ndevelopment practices limiting the impact of ransomware techniques, thus, strengthening the security posture for\r\ntheir customers.\r\nFor more information on secure by design, see CISA’s Secure by Design webpage and joint guide.\r\nFBI, CISA, and HHS recommend organizations implement the mitigations below to improve your organization’s\r\ncybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat\r\nthreat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed\r\nby CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of\r\npractices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the\r\nCPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful\r\nthreats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more\r\ninformation on the CPGs, including additional recommended baseline protections. Due to the threat ALPHV\r\nBlackcat’s poses in the healthcare sector, healthcare organizations can look to the Healthcare and Public Health\r\n(HPH) Sector Cybersecurity Performance Goals to implement cybersecurity protections against the most common\r\nthreats. tactics, techniques, and procedures used against this sector.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 6 of 8\n\nSecure remote access tools by:\r\nImplementing application controls to manage and control execution of software, including\r\nallowlisting remote access programs. Application controls should prevent installation and execution\r\nof portable versions of unauthorized remote access and other software. A properly configured\r\napplication allowlisting solution will block any unlisted application execution. Allowlisting is\r\nimportant because antivirus solutions may fail to detect the execution of malicious portable\r\nexecutables when the files use any combination of compression, encryption, or obfuscation.\r\nApplying recommendations in CISA's joint Guide to Securing Remote Access Software.\r\nImplementing FIDO/WebAuthn authentication or Public key Infrastructure (PKI)-based MFA [CPG\r\n2.H][HPH CPG – Multifactor Authentication]. These MFA implementations are resistant to phishing and\r\nnot susceptible to push bombing or SIM swap attacks, which are techniques known be used by ALPHV\r\nBlackcat affiliates. See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that\r\nlogs and reports all network traffic [CPG 5.1][HPH CPG – Detect and Respond to Relevant Threats and\r\nTactics, Techniques and Procedures], including lateral movement activity on a network. Endpoint detection\r\nand response (EDR) tools are useful for detecting lateral connections as they have insight into common and\r\nuncommon network connections for each host.\r\nImplement user training on social engineering and phishing attacks [CPG 2.I][HPH CPG – Basic\r\nCybersecurity Training]. Regularly educate users on identifying suspicious emails and links, not interacting\r\nwith those suspicious items, and the importance of reporting instances of opening suspicious emails, links,\r\nattachments, or other potential lures.\r\nImplement internal mail and messaging monitoring. Monitoring internal mail and messaging traffic to\r\nidentify suspicious activity is essential as users may be phished from outside the targeted network or\r\nwithout the knowledge of the organizational security team. Establish a baseline of normal network traffic\r\nand scrutinize any deviations.\r\nImplement free security tools to prevent cyber threat actors from redirecting users to malicious websites\r\nto steal their credentials. For more information see, CISA’s Free Cybersecurity Services and Tools\r\nwebpage.\r\nInstall and maintain antivirus software. Antivirus software recognizes malware and protects your\r\ncomputer against it. Installing antivirus software from a reputable vendor is an important step in preventing\r\nand detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email\r\nlinks. Because attackers are continually creating new viruses and other forms of malicious code, it is\r\nimportant to keep your antivirus software up to date.\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this\r\nadvisory. CISA recommends testing your existing security controls inventory to assess how they perform against\r\nthe ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 7 of 8\n\n1. Select an ATT\u0026CK technique described in this advisory (see Tables 1-3).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nCISA and FBI recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nRESOURCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware\r\nresources and alerts.\r\nResource to reduce the risk of a ransomware attack: #StopRansomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nHealth and Human Services HPH Cybersecurity Gateway hosts the HPH CPGs and links to HHS\r\ncybersecurity resources.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services\r\nlinked within this document. Any reference to specific commercial entities, products, processes, or services by\r\nservice mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation,\r\nor favoring by FBI, CISA, and HHS.\r\nVERSION HISTORY\r\nDecember 19, 2023: Initial version.\r\nFebruary 27, 2024: Update.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"
	],
	"report_names": [
		"aa23-353a"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434728,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4148b478b65d67f6875f0bd868c52661da110390.pdf",
		"text": "https://archive.orkl.eu/4148b478b65d67f6875f0bd868c52661da110390.txt",
		"img": "https://archive.orkl.eu/4148b478b65d67f6875f0bd868c52661da110390.jpg"
	}
}