{
	"id": "c87216ec-eb96-4aa9-9450-b069fdde84f9",
	"created_at": "2026-04-06T00:21:06.62168Z",
	"updated_at": "2026-04-10T03:35:21.380975Z",
	"deleted_at": null,
	"sha1_hash": "523fb5166581a9eaf546153772abe03507916591",
	"title": "BlackCat Ransomware (ALPHV)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 553994,
	"plain_text": "BlackCat Ransomware (ALPHV)\r\nBy Jason Hill\r\nPublished: 2022-01-26 · Archived: 2026-04-05 17:45:30 UTC\r\n×\r\nFollowing news that members of the infamous ‘big-game hunter’ ransomware group REvil have been arrested by\r\nRussian law enforcement, effectively dismantling the group and their operations, it is likely that the group’s\r\naffiliates will migrate to other ransomware-as-a-service (RaaS) providers. \r\nVaronis Threat Labs has observed one such RaaS provider, ALPHV (aka BlackCat ransomware), gaining traction\r\nsince late 2021, actively recruiting new affiliates and targeting organizations across multiple sectors worldwide.  \r\nHere are some of the key takeaways: \r\nThe group is actively recruiting ex-REvil, BlackMatter, and DarkSide operators \r\nIncreased activity since November 2021 \r\nLucrative affiliate pay-outs (up to 90%) \r\nRust-based ransomware executable (fast, cross-platform, heavily customized per victim) \r\nAES encryption by default \r\nBuilt-in privilege escalation (UAC bypass, Masquerade_PEB, CVE-2016-0099) \r\nCan propagate to remote hosts via PsExec \r\nDeletes shadow copies using VSS Admin \r\nStops VMware ESXi virtual machines and deletes snapshot \r\nThe group’s leak site, active since early December 2021, has named over twenty victim organizations as of late\r\nJanuary 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is\r\nlikely greater.  \r\nThis article seeks to provide an overview of this emerging ransomware threat, detailing both the Linux and\r\nWindows variants of their encryption tool. \r\nBackground \r\nFirst observed in November 2021, ALPHV, also known as ALPHV-ng, BlackCat, and Noberus, is a ransomware-as-a-service (RaaS) threat that targets organizations across multiple sectors worldwide using the triple-extortion\r\ntactic. \r\nBuilding upon the common double-extortion tactic in which sensitive data is stolen prior to encryption and the\r\nvictim threatened with its public release, triple-extortion adds the threat of a distributed denial-of-service (DDoS)\r\nattack if the ransomware group’s demands aren’t met. \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 1 of 13\n\nDemonstrating prior experience in this threat space, such as the use of proven big-game hunter tactics, techniques,\r\nand procedures (TTP) and the apparent recent success, this threat was likely created by a former ransomware\r\ngroup member rather than a new-comer. \r\nGoing further, some cybercrime forum users have commented that ALPHV may even be an evolution or\r\nrebranding of BlackMatter, itself a ‘spin-off’ or successor of REvil and DarkSide. \r\nPreviously advertised on Russian-language cybercrime forums (Figure 1), affiliates are enticed to join the group\r\nwith returns of up to ninety percent of any ransom collected. \r\n×\r\nFigure 1 – ALPHV ‘Looking for WINDOWS/LINUX/ESX pentesters’ \r\nWorking with these new affiliates, the initial intrusion of a victim network will likely use tried-and-tested\r\ntechniques. For example, the exploitation of common vulnerabilities in network infrastructure devices such as\r\nVPN gateways and credential misuse via exposed remote desktop protocol (RDP) hosts. \r\nSubsequently, those conducting ALPHV attacks have been observed as using PowerShell to modify Windows\r\nDefender security settings throughout the victim network as well as launching the ransomware binary, an\r\ninteractive process, on multiple hosts using PsExec. \r\nRansomware \r\nHaving gained initial access to a victim network, the group will undoubtedly conduct reconnaissance and lateral\r\nmovement phases in which sensitive and valuable data will be identified for exfiltration and later encryption. \r\nUtilizing their own ransomware executable, created afresh rather than being based on some existing threat, the\r\nthreat actor will build a victim-specific threat that takes into account elements such as encryption performance,\r\nperhaps electing to only encrypt parts of large files, as well as embedded victim credentials to allow automated\r\npropagation of the ransomware payload to other servers. \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 2 of 13\n\nUnlike many other ransomware threats, ALPHV was developed using Rust, a programming language known for\r\nits fast performance and cross-platform capabilities, leading to both Linux and Windows variants being observed\r\nthroughout December 2021 and January 2022.  \r\nWhilst many suggest that ALPHV could be the first ‘in-the-wild’ ransomware threat using this language, a Rust\r\nransomware proof-of-concept was published on GitHub in June 2020 albeit there is nothing to suggest that the two\r\nare in any way related. \r\nNotably, the use of Rust, amongst other modern languages including Golang and Nim, appears to be a growing\r\ntrend amongst cybercrime threat actors over the past year or two. \r\nIn addition to creating new cross-platform and high-performance threats, some threat actors have also taken to\r\nrewriting their older threats likely to evade detection and thwart analysis, as seen with the updated ‘Buer’\r\ndownloader dubbed ‘RustyBuer’. \r\nAnalysis of ALPHV samples collected recently indicates that the development process likely took place during\r\nearly-to-mid November 2021 given the release history of Rust ‘crates’ (programming libraries) used.   \r\nSpecifically, recently observed ALPHV samples utilize ‘Zeroize’ version 1.4.3 which was not released until\r\nNovember 4, 2021, whilst also using public key cryptography versions that were superseded by versions released\r\non November 16 and 17, 2021.  \r\nWhilst many of the Rust crates used are somewhat obvious, such as the use of command-line interface and\r\nencryption libraries, the use of Zeroize, a library that securely clears secrets from memory, appears to be a\r\ndeliberate attempt to prevent encryption secrets from being recovered from a compromised host. \r\nConfiguration \r\nEach victim-specific ALPHV ransomware binary has an embedded JSON data structure (Figure 2) that contains a\r\ntailored configuration taking into account the threat actor’s knowledge of the victim network.\r\n×\r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 3 of 13\n\nFigure 2 – Example embedded JSON data structure \r\nRecently observed samples include configurations with a common set of options (Table 1) some of which apply to\r\nboth variants and others that are operating system specific.\r\nConfiguration Option  Description \r\nconfig_id  Not set in recently observed samples. \r\npublic_key  Victim-specific RSA public key used to secure the encryption key. \r\nextension \r\nVictim-specific extension appended to encrypted files, a seemingly\r\nrandomly generated string of seven lowercase alphanumeric characters\r\n(Regular Expression: [a-z0-9]{7}). \r\nnote_file_name \r\nRansom note filename, set to ‘RECOVER-${EXTENSION}-FILES.txt’ in\r\nrecently observed samples. \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 4 of 13\n\nnote_full_text \r\nRansom note text, consistent across recently observed samples with a\r\nvictim-specific Tor onion address used for negotiations. \r\nnote_short_text \r\nWindows desktop wallpaper text directing the victim to the ransom note,\r\nconsistent across recently observed samples. \r\ndefault_file_mode \r\nTypically set to ‘Auto’ although two ‘SmartPattern’ values have been\r\nobserved that result in a specified number of megabytes of each file being\r\nencrypted in steps of ten: \r\nmap[SmartPattern:[1.048576e+07 10]] \r\nmap[SmartPattern:[3.145728e+07 10]] \r\nThese values would be set for performance reasons on specific victim\r\nhosts such as when dealing with very large files. \r\ndefault_file_cipher \r\nSet to ‘Best’ in all recently observed samples, attempts to use AES\r\nencryption first and falls back to ChaCha20. \r\ncredentials \r\nVictim-specific, and likely used for propagation. Both domain and local\r\nadministrator credentials have been observed in some samples. \r\nkill_services \r\nTypical list of common Windows services related to applications, backup\r\nutilities, security solutions and servers with some victim-specific services\r\nobserved in recent samples. \r\nkill_processes \r\nTypical list of common Windows processes related to applications,\r\nbackup utilities, security solutions and servers with victim-specific\r\nprocesses observed in recent samples. \r\nexclude_directory_names \r\nTypical list of Windows system directories to ensure that the host remains\r\nstable post-encryption (allowing the ransom note to be accessed). \r\nexclude_file_names \r\nTypical list of Windows system files to ensure the host remains stable\r\npost-encryption (allowing the ransom note to be accessed). \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 5 of 13\n\nexclude_file_extensions \r\nTypical list of Windows system file extensions to ensure the host remains\r\nstable post-encryption (allowing the ransom note to be accessed). \r\nexclude_file_path_wildcard \r\nNot set in recently observed samples, excludes specified file paths from\r\nthe encryption process on a per-host/victim basis. \r\nenable_network_discovery \r\nBoolean value, set to ‘true’ in recently observed samples and enabling\r\nnetwork discovery via NetBIOS/SMB in search of other hosts to encrypt. \r\nenable_self_propagation \r\nBoolean value, mixed configurations observed in recent samples suggest\r\nthis is configured on a per-host/victim basis. \r\nenable_set_wallpaper \r\nBoolean value, set to ‘true’ in recently observed samples resulting in the\r\nWindows desktop wallpaper displaying ‘note_short_text’. \r\nenable_esxi_vm_kill \r\nBoolean value, determines if VMware ESXi virtual machines will be\r\nterminated. \r\nenable_esxi_vm_snapshot_kill \r\nBoolean value, determines if VMware ESXi virtual machine snapshots\r\nwill be removed (configuration option only present in recently observed\r\nLinux samples). \r\nstrict_include_paths \r\nNot set in recently observed samples, results in the encryption process\r\nonly processing files within the specified paths. \r\nesxi_vm_kill_exclude \r\nBoolean value, excludes specific VMware ESXi virtual machines from\r\nthe termination process \r\nTable 1 – ALPHV Configuration Options \r\nAlthough many options appear within the embedded configurations of both samples, it appears that the\r\nransomware will ignore those that don’t apply to the host, for example, recently observed Windows samples\r\ninclude references to VMware ESXi, a platform supported by the Linux variant, whilst recently observed Linux\r\nsamples retain references to Windows directories, files, and file extensions. \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 6 of 13\n\nBased on the command-line options available to both variants, many of the embedded configuration options can\r\nlikely be overridden at execution.  \r\nCommand-line Interface \r\nLaunching the ransomware with the ‘--help’ parameter conveniently shows available options (Figure 3) and\r\nprovides an insight into its capabilities.\r\n×\r\nFigure 3 – ALPHV ‘Core’ Options (Windows variant) \r\nDifferences in the options displayed may indicate an earlier version or victim/Windows-specific variant, with\r\nmany options allowing the threat actor to override any embedded configuration. \r\nIn addition to these core capabilities, analysis of a recent Linux variant provides insight (Figure 4) into support for\r\nVMware ESXi hosts including the ability to stop virtual machines and, if enabled, wipe virtual machine snapshots\r\nto thwart recovery efforts. \r\n×\r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 7 of 13\n\nFigure 4 – ALPHV ‘ESXi’ Options (Linux variant) \r\nOnce initially launched, both the Linux and Windows variants include a multi-threaded worker pool that spawns a\r\n‘file worker pool’ comprised of four workers that are used to open and modify each target file, replacing the\r\noriginal content with encrypted data. \r\nWindows Variant \r\nHaving initialized its core features, including the creation of the file worker pool, privilege escalation capabilities\r\ncan be executed by the Windows variant under certain conditions. \r\nGiven that the manual execution of the ransomware element occurs post-intrusion, after the reconnaissance and\r\ndata exfiltration stages, it is expected that the threat actor would already have elevated privileges. \r\nRegardless, the following privilege escalation capabilities appear to be embedded within the ransomware and will\r\nlikely increase the chance of success when propagated to other Windows hosts: \r\n‘Masquerade_PEB’, previously released as a proof-of-concept script [6] and used to give a PowerShell\r\nprocess the appearance of another process that in turn could allow elevated operations. \r\nUser Account Control (UAC) bypass via an elevated COM interface, in this case abusing the Microsoft\r\nConnection Manager Admin API Helper for Setup COM object (cmstplua.dll): \r\n%SYSTEM32%\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} \r\nCVE-2016-0099, a Secondary Logon Service exploit via the ‘CreateProcessWithLogonW’ API. \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 8 of 13\n\nAdditionally, the Windows variant performs a number of processes prior to the encryption phase that differs from\r\ncommon ransomware threats, namely: \r\nAcquiring the host universally unique identifier (UUID) using the Windows Management Interface\r\ncommand-line utility (WMIC) that, along with the ‘access token’ value, generates an ‘access-key’ to allow\r\naccess to the victim-specific Tor site: \r\nwmic csproduct get UUID \r\nEnabling both ‘remote to local’ and ‘remote to remote’ symbolic links using the file system utility (fsutil)\r\nto allow the creation of links that redirects to some other file or directory: \r\nfsutil behavior set SymlinkEvaluation R2L:1 \r\nfsutil behavior set SymlinkEvaluation R2R:1 \r\nSetting the number of network requests the Server Service can make to the maximum, avoiding any remote\r\nfile access issues when the encryption process executes, by updating the configuration in the Windows\r\nregistry: \r\nreg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f \r\nEnumerating all local disk partitions and, if any hidden partitions are found, mounting these to allow\r\nadditional data to be encrypted, potentially rendering recovery partitions useless. \r\nPropagation, if enabled, likely uses credentials contained within the embedded configuration and makes\r\nuse of PsExec, a Microsoft Windows Sysinternals utility, to execute the ransomware on a remote host: \r\npsexec.exe -accepteula \\\\\u003cTARGET_HOST\u003e -u \u003cUSERNAME\u003e -p \u003cPASSWORD\u003e -s -d -f -c\r\n\u003cALPHV_EXECUTABLE\u003e [FLAGS] [OPTIONS] --access-token \u003cACCESS_TOKEN\u003e\r\n[SUBCOMMAND] \r\nIn addition to suppressing the display of the PsExec license dialog (-accepteula), the propagated ransomware\r\nprocess will be executed using the SYSTEM account (-s) in a non-interactive session (-d), negating the need to\r\nwait for the remote process to complete, with the ransomware executable being copied to the remote host (-c) and\r\noverwriting any existing file (-f). \r\nNotably, the legitimate PsExec executable is embedded within the Windows variant and is dropped in the victim’s\r\n%TEMP% directory. \r\nAs expected, common Windows ransomware traits are also performed: \r\nDeletion of shadow copies using the Volume Shadow Copy Service (VSS) administrative utility (vssadmin)\r\nto thwart recovery efforts: \r\nvssadmin.exe delete shadows /all /quiet \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 9 of 13\n\nTerminating the processes and/or services specified within the configuration to minimize the number of\r\nlocked (open) files as well as potentially disabling backup utilities and security software to evade\r\ndetection. \r\nEmptying the Recycle Bin. \r\nDefaulting to AES encryption, signified by the ‘best’ configuration option, the process can fallback or be\r\noverridden to use ChaCha20. \r\nAfter a file has been encrypted, the pre-configured seven-character alphanumeric file extension is appended to the\r\nfilename, a value that appears to differ between victims. \r\nFollowing the encryption phase, a number of final tasks are performed: \r\nNetwork discovery, using NetBIOS and SMB, likely in preparation for propagation, seemingly including\r\nthe use of native address resolution protocol (ARP) command to gather the IP and MAC addresses from the\r\nARP table (a list of hosts known to the victim host): \r\narp -a \r\nCreating the predefined ransom note in each folder containing encrypted files as well as an image\r\ncontaining the short ransom note on the Desktop of all users: \r\nRECOVER-\u003cENCRYPTED_FILE_EXTENSION\u003e-FILES.txt \r\n%USERPROFILE%\\Desktop\\RECOVER-\u003cENCRYPTED_FILE_EXTENSION\u003e-FILES.txt.png \r\nSetting the desktop wallpaper (Figure 5) to the dropped PNG image file for each user through a Windows\r\nregistry key update:\r\nHKEY_USERS\\\u003cSID\u003e\\Control Panel\\Desktop\\WallPaper = \"C:\\\\Users\\\\\r\n\u003cUSERNAME\u003e\\\\Desktop\\\\RECOVER-\u003cENCRYPTED_FILE_EXTENSION\u003e-FILES.txt.png\" \r\n \r\nFigure 5 – Desktop wallpaper post-encryption \r\nRepeating the shadow copy deletion process using vssadmin. \r\nUsing the Windows Event Log utility (wevtutil) to list and then clear all event logs: \r\nfor /F \\\"tokens=*\\\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \\\"%1\\\"\" \r\nVMware ESXi Behaviour \r\nAssuming the ESXi options are not disabled, the VMware ESXi command-line interface utility (esxcli) is called\r\nand generates a comma-separated list of all running virtual machines: \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 10 of 13\n\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list \r\nThe output of this command is subsequently ‘piped’ to AWK, a text-processing utility, to parse the result and\r\nlaunch the ESXI command-line interface utility to force terminate each virtual machine: \r\nawk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\"$1)}' \r\nUtilizing the VMware Virtual Infrastructure Management utility (vimcmd), another list of virtual machines is\r\ngathered and parsed, the results of which are passed back to vimcmd with the ‘snapshot.removeall’ command that\r\nresults in any, and all, snapshots being deleted: \r\nfor i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i \u0026\r\ndone \r\nVictimology \r\nAs is common with big-game hunter ransomware threats, victims are typically large organizations from which\r\nbigger ransoms can be extorted with reports suggesting that demands have ranged from US$400K up to $3M\r\npayable in cryptocurrency. \r\nWhilst the true number of victims is unknown, over twenty organizations have been named on the group’s Tor\r\n‘leak site’, across a variety of sectors and countries including: \r\nAustralia, Bahamas, France, Germany, Italy, Netherlands, Philippines, Spain, United Kingdom, and the\r\nUnited States. \r\nBusiness services, construction, energy, fashion, finance, logistics, manufacturing, pharmaceutical, retail,\r\nand technology. \r\nIndicators of Compromise (IOC) \r\nLinux Processes \r\nThe following legitimate, albeit suspicious, processes were spawned by the Linux/VMware ESXi variant: \r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F\r\n\"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\"$1)}' \r\nfor i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i \u0026\r\ndone \r\nWindows Processes \r\nThe following legitimate, albeit suspicious, processes were spawned by the Windows variant: \r\narp -a \r\n%SYSTEM32%\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} \r\nfor /F \\\"tokens=*\\\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \\\"%1\\\"\" \r\nfsutil behavior set SymlinkEvaluation R2L:1 \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 11 of 13\n\nfsutil behavior set SymlinkEvaluation R2R:1 \r\npsexec.exe -accepteula \\\\\u003cTARGET_HOST\u003e -u \u003cUSERNAME\u003e -p \u003cPASSWORD\u003e -s -d -f -c\r\n\u003cALPHV_EXECUTABLE\u003e [FLAGS] [OPTIONS] --access-token \u003cACCESS_TOKEN\u003e\r\n[SUBCOMMAND] \r\nreg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f \r\nwmic csproduct get UUID \r\nLinux Ransomware Executables (SHA256) \r\nGiven that each sample is victim-specific, the following are provided for research rather than detection purposes: \r\n3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1 \r\n5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42 \r\n9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26 \r\ne7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556 \r\nf7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083 \r\nf8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6 \r\nWindows Ransomware Executables (SHA256) \r\nGiven that each sample is victim-specific, the following are provided for research rather than detection purposes: \r\n0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479 \r\n13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 \r\n15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed \r\n1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e \r\n2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0 \r\n28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169 \r\n2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc \r\n38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1 \r\n3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83 \r\n4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf \r\n59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f \r\n5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898 \r\n658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582 \r\n7154fdb1ef9044da59fcfdbdd1ed9abc1a594cacb41a0aeddb5cd9fdaeea5ea8 \r\n722f1c1527b2c788746fec4dd1af70b0c703644336909735f8f23f6ef265784b \r\n731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161 \r\n7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487 \r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 12 of 13\n\n7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e \r\n9f6876762614e407d0ee6005f165dd4bbd12cb21986abc4a3a5c7dc6271fcdc3 \r\naae77d41eba652683f3ae114fadec279d5759052d2d774f149f3055bf40c4c14 \r\nb588823eb5c65f36d067d496881d9c704d3ba57100c273656a56a43215f35442 \r\nbd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117 \r\nbe8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486 \r\nc3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40 \r\nc5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486 \r\nc8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283 \r\ncda37b13d1fdee1b4262b5a6146a35d8fc88fa572e55437a47a950037cc65d40 \r\ncefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae \r\nd767524e1bbb8d50129485ffa667eb1d379c745c30d4588672636998c20f857f \r\nf837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb  \r\n×\r\nJason Hill Jason is a Security Researcher within the Varonis Research Team and has a penchant for all-things\r\nthreat intelligence. Equally happy analyzing nefarious files or investigating badness, Jason is driven by the desire\r\nto make the cyber world a safer place.\r\nSource: https://www.varonis.com/blog/alphv-blackcat-ransomware\r\nhttps://www.varonis.com/blog/alphv-blackcat-ransomware\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.varonis.com/blog/alphv-blackcat-ransomware"
	],
	"report_names": [
		"alphv-blackcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434866,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/523fb5166581a9eaf546153772abe03507916591.pdf",
		"text": "https://archive.orkl.eu/523fb5166581a9eaf546153772abe03507916591.txt",
		"img": "https://archive.orkl.eu/523fb5166581a9eaf546153772abe03507916591.jpg"
	}
}