{
	"id": "183a1d1b-5dfc-43bc-bd42-e0a692666229",
	"created_at": "2026-04-06T00:21:47.40483Z",
	"updated_at": "2026-04-10T03:29:39.81104Z",
	"deleted_at": null,
	"sha1_hash": "5166e89de3f941b0303e4cb108b0366e2d2a17db",
	"title": "LockBit ransomware now poaching BlackCat, NoEscape affiliates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2362713,
	"plain_text": "LockBit ransomware now poaching BlackCat, NoEscape affiliates\r\nBy Lawrence Abrams\r\nPublished: 2023-12-13 · Archived: 2026-04-05 16:26:52 UTC\r\nThe LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape\r\nafter recent disruptions and exit scams.\r\nLast week, the NoEscape and the BlackCat/ALPHV ransomware operation's Tor websites suddenly became inaccessible\r\nwithout warning.\r\nAffiliates associated with NoEscape claimed that the ransomware operators pulled an exit scam, stealing millions of dollars\r\nin ransom payments and shutting off the operation's web panels and data leak sites.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nNoEscape is believed to be a rebrand of the Avaddon ransomware operation, which shut down in June 201 and released their\r\ndecryption keys to BleepingComputer. We hope that NoEscape will once again release the decryption keys for their victims\r\nnow that they have shut down their operation.\r\nThe BlackCat/ALPHV ransomware operation also suffered a 5-day disruption last week, with all their infrastructure going\r\noffline, including their data leak and negotiation sites.\r\nOn Monday, the ALPHV data leak site returned, but with all data removed. While some negotiation URLs are working,\r\nmany are not, effectively halting negotiations for those victims.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 3 of 6\n\nEmpty BlackCat data leak site\r\nSource: BleepingComputer\r\nThe ALPHV admin claimed that their outage was caused by hardware failure. However, BleepingComputer heard from\r\nmultiple sources that a law enforcement operation was related to the outage.\r\nThe FBI declined to comment when we contacted them about the disruptions.\r\nAre you an ALPHV or NoEscape affiliate or someone with information about the outages? If you want to share the\r\ninformation, you can contact us securely on Signal at +1 (646) 961-3731, via email at tips@bleepingcomputer.com, or by\r\nusing our tips form.\r\nLockBit recruits affiliates from distressed gangs\r\nAs first reported by LeMagIT, LockBitSupp, the LockBit operation's manager, has begun to recruit affiliates from the\r\nBlackCat and NoEscape ransomware operations.\r\nIn posts to a Russian-speaking hacking forum, LockBitSupp told affiliates that if they have backups of the stolen data, they\r\ncould use his data leak site and negotiation panel to continue to extort victims. \r\nIn addition to affiliates, LockBitSupp is trying to recruit the coder for the ALPHV encryptor.\r\nWhile it is unclear if any of the BlackCat/NoEscape affiliates have moved over to LockBit, one BlackCat’s victim has\r\nalready been spotted on LockBit’s data leak site.\r\n\"LockBit ransomware group has added German Energy Agency dena (http://dena.de) to their victim list, which was\r\npreviously a victim of ALPHV ransomware group,\" reads a tweet from FalconFeeds.\r\nBlackCat/ALPHV is a rebrand of the DarkSide and BlackMatter ransomware operations. After BlackMatter’s shutdown in\r\nNovember 2021, its affiliates transitioned to LockBit.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 4 of 6\n\nBlackMatter affiliate transferring a victim to LockBit site\r\nSource: BleepingComputer\r\nWith LockBit being the largest ransomware operation at this time, LockBitSupp told BleepingComputer that he viewed the\r\nBlackCat outages as a \"Christmas Gift.\"\r\nIt is too soon to tell whether affiliates and penetration testers have lost trust in BlackCat or NoEscape and are moving to\r\nother operations. However, it would not be surprising if we soon see another rebrand.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-poaching-blackcat-noescape-affiliates/"
	],
	"report_names": [
		"lockbit-ransomware-now-poaching-blackcat-noescape-affiliates"
	],
	"threat_actors": [
		{
			"id": "86ab9be8-ce67-4866-9f66-1df471e9d251",
			"created_at": "2024-05-29T02:00:03.942487Z",
			"updated_at": "2026-04-10T02:00:03.641939Z",
			"deleted_at": null,
			"main_name": "Alpha Spider",
			"aliases": [
				"ALPHV Ransomware Group"
			],
			"source_name": "MISPGALAXY:Alpha Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434907,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5166e89de3f941b0303e4cb108b0366e2d2a17db.pdf",
		"text": "https://archive.orkl.eu/5166e89de3f941b0303e4cb108b0366e2d2a17db.txt",
		"img": "https://archive.orkl.eu/5166e89de3f941b0303e4cb108b0366e2d2a17db.jpg"
	}
}