{
	"id": "501c6714-b70c-4d70-bf7e-3be22ce55f3c",
	"created_at": "2026-04-06T00:18:52.03196Z",
	"updated_at": "2026-04-10T03:29:40.191209Z",
	"deleted_at": null,
	"sha1_hash": "71135994d0530558ed00489163eb2ffd49245845",
	"title": "Cybereason vs. BlackCat Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1551931,
	"plain_text": "Cybereason vs. BlackCat Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 13:07:22 UTC\r\nSince its first emergence in November 2021, the Cybereason Nocturnus team has been tracking the BlackCat\r\nRansomware (aka ALPHV), which has been called “2021’s most sophisticated ransomware”. \r\nBlackCat ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims\r\nare German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. \r\nThe Cybereason XDR Platform Detects and Blocks BlackCat Ransomware\r\nSince its recent emergence, BlackCat has attacked various industries, including telecommunication, commercial\r\nservices, insurance, retail, machinery, pharmaceuticals, transportation, and construction industries. Among the\r\naffected regions are Germany, France, Spain, the Philippines, and the Netherlands, with the most victims being\r\nlocated in the US. \r\nThe ransomware was given the name “BlackCat” due to the favicon of a black cat being used on every victim's\r\nTor payment site. The operators of BlackCat have been using the names “alphv” and “ransom” in Cybercrime\r\nforums (ramp_v2, exploit.in) in order to recruit affiliates. \r\nThe operators of the ransomware appear to be from Russian speaking regions. Like many others, BlackCat uses a\r\nRaaS model (Ransomware-as-a-service). Affiliates of BlackCat are offered between 80-90% of the ransom\r\npayment, and once approved, are given access to a control panel that manages access:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 1 of 13\n\nLeaked document from BlackCat Leaks website\r\nOne of the unique elements of the BlackCat ransomware is that it is written in Rust, which is not a common\r\ncoding language for malware and ransomware. “Rust is a multi-paradigm, general-purpose programming\r\nlanguage designed for performance and safety.” \r\nBecause of Rust’s emphasis on performance, the process of encryption is very fast, and in addition, Rust is cross-platform, which makes it easier to create variants for both Windows and Linux. \r\nThe operators of BlackCat confirmed that they are affiliates of DarkSide/BlackMatter ransomware gang. They\r\nclaim to be apolitical in regards to geopolitical relations and to refrain from attacking medical institutions and\r\nhospitals. \r\nThe group has adopted the popular double extortion paradigm, which means that in addition to encrypting files,\r\nthey also steal them and later threaten to publish stolen data unless the ransom is paid. In some cases even, triple\r\nextortion is used - threatening to perform DDOS attacks. \r\nKey Details\r\nSophisticated Ransomware: BlackCat has been called “2021’s most sophisticated ransomware\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive\r\npotential of the attacks.\r\nDeveloped in Rust: BlackCat was developed in rust which is unusual for ransomware.\r\nTriple Extortion: The BlackCat operators used double extortion and sometimes triple extortion to make\r\nvictims pay the ransom\r\nShared Infrastructure with LockBit: BlackCat has shared infrastructure, and used similar tools and\r\nnaming conventions as the LockBit ransomware.\r\nDetected and Prevented: The Cybereason XDR Platform fully detects and prevents the Lorenz\r\nransomware.\r\nTechnical Analysis\r\nBreaking down BlackCat Ransomware\r\nThe BlackCat ransomware has both Windows and Linux variants. The ransomware includes multiple execution\r\nflags which grant its operators control over operations like whether to stop executions of virtual machines or if the\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 2 of 13\n\nransomware should change the desktop wallpaper or not:\r\nBlackCat help menu\r\nIn order to execute properly, BlackCat must be executed with the “--access-token” flag, although the value of the\r\nstring that is passed on to it can be any string. \r\nUpon execution, BlackCat may attempt to perform Privilege escalation in the following manners:\r\nUAC bypass by abusing the Connection Manager Admin API Helper for Setup COM interface\r\n(cmstplua.dll)\r\nAbusing CVE-2016-0099 (Secondary Logon Service exploit)\r\nAdjusting access token token privileges \r\nNext, BlackCat checks the UUID (universally unique identifier) of the machine by running a WMI command,\r\nwhich is used later for the recovery URL in the ransom note: \r\nwmic csproduct get UUID\r\nBlackCat enables local and remote symbolic links on the infected machine. A symbolic link is a type of file that\r\ncontains a reference to another file. This is probably done to make sure that the ransomware is able to follow\r\nshortcuts on the machine in order to find the original file to encrypt:\r\nfsutil behavior set SymlinkEvaluation R2L:1\r\nfsutil behavior set SymlinkEvaluation R2R:1\r\nBlackCat also attempts to stop Internet services on the infected machine using the iisreset.exe:\r\niisreset.exe /stop\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 3 of 13\n\nThe ransomware changes the number of outstanding requests that can be maintained. An outstanding request is a\r\nrequest that is still waiting for a response. These are used when performing SMB requests, the change is probably\r\ndone to raise the number of possible PsExec requests the machine could make so the ransomware may spread:\r\n reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f\r\nThen, it deletes the shadow copies from the infected machine using both “vssadmin” and “wmic”:\r\nvssadmin.exe delete shadows /all /quiet\r\nwmic shaodwcopy delete\r\nBlackCat Execution as seen in the Cybereason XDR Platform\r\nBlackCat enumerates all local disk partitions on the infected machine, and any hidden partition that is found is\r\nmounted in order to make it possible to encrypt more files. \r\nThe ransomware also attempts to propagate through the network via the use of the “net use” command and PsExec\r\nwhich is embedded inside the BlackCat executable. The ransomware executes the tools using credentials that are\r\nconfigured in the ransomware config:\r\nCredentials in the configuration\r\nAdditionally, BlackCat disables windows’ automatic repair and clears the machine's event log, by running the\r\nfollowing commands:\r\nbcdedit /set {default} recoveryenabled No\r\ncmd.exe /c for /F \\\"tokens=*\\\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \\\"%1\\\" \r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 4 of 13\n\nIn order to maximize the number of encrypted files, BlackCat attempts to kill several processes and services on\r\nthe machine in order to decrease the number of locked files that are not accessible due to another program (full list\r\nin appendix). In addition, BlackCat’s configuration includes a list of directories to be excluded from encryption.\r\n(see appendix):\r\nBlackCat Configuration\r\nTo encrypt the files, BlackCat may use AES or ChaCha20 for encryption, based on the configuration. It drops a\r\nransom note titled : “RECOVER-[encrypted file extension]- FILES.txt” in each folder and in the end, the\r\nransomware changes the desktops wallpaper:\r\nWallpaper after BlackCat change\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 5 of 13\n\nBlackCat ransom note\r\nLinux variant specific commands\r\nThe Linux variant was observed executing commands in order to delete VMware ESXi snapshots. The\r\nransomware generates a list of running virtual machines:\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list \r\nEach virtual machine is then terminates using the command: \r\nawk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\"$1)}' \r\nFinally all snapshots of the virtual machines are deleted:\r\nfor i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i \u0026 done\r\nBlackCat and LockBit Connection\r\nThe Nocturnus team observed interesting overlaps between tools and infrastructure used by BlackCat ransomware\r\nand LockBit ransomware. The Nocturnus team analyzed a .NET written launcher named “setup.exe” that is used\r\nto download and execute BlackCat ransomware. \r\nThe launcher contains the following PDB path:\r\n “D:\\my\\Documents\\Visual Studio 2019\\setup\\obj\\Release\\setup.pdb”. \r\nWhen searching for files that share the PDB, we encountered several additional malware with the same name that\r\nhave remarkable similarities to the BlackCat launcher. When examining the code and Infrastructure of these\r\nmalware, we see overlaps between BlackCat infrastructure and LockBit infrastructure. \r\nBlackCat Launcher\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 6 of 13\n\nThe launcher downloads the BlackCat executable from the C2 and executes it using the “--access-token”\r\nargument, which is required in order to run BlackCat:\r\nBlackCat Launcher code\r\nAdditionally, the tool collects basic profiling information about the infected machine and uploads it to the C2. The\r\ninformation collected is:\r\nA screen capture\r\nUsername\r\nOS name\r\nOS language\r\nTimezone\r\nWindows UUID\r\nKeyboard language\r\nInstalled users\r\nInstalled software\r\nDrives\r\nLockBit Profiler Tool\r\nThe Nocturnus team discovered striking similarities with the BlackCat launcher and a profiler associated with\r\nLockBit ransomware. The profiler variants which are linked to LockBit use almost the same code as the BlackCat\r\nlauncher, except for slight variations. \r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 7 of 13\n\nThe only difference in functionality is that they do not attempt to download anything, they only collect profiling\r\ndata, with the difference being that instead of collecting the machine’s “Windows UUID”, the profiler checks if\r\nLockBit is already installed on the machine:\r\nLeft: LockBit profiler code Right: BlackCat Launcher code\r\nWhen checking the Infrastructure used by these tools, we see connections and similarities in the IP addresses, URI\r\nstructure, and file names:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 8 of 13\n\nBlackCat and LockBot infrastructure comparison \r\nAll the IP addresses that are used by the BlackCat launcher and LockBit profiler, share the URI paths “files” and\r\n“upload”. In addition, BlackCat and LockBit samples sometimes share file names. For example, we observed\r\nBlackCat samples with the name:\r\n“test_4mmc_x86_32_windows_encrypt_app.exe” and LockBit samples with the name “4mmc.exe”\r\nAnother example of shared file names is a LockBit sample named “screensaver.exe”, which is also the default\r\nname used for the BlackCat executable that is downloaded using the launcher:\r\n“Screensaver.exe” used in BlackCat Launcher\r\nThis connection between some of the tools and infrastructure between BlackCat ransomware and LockBit\r\nransomware might indicate sharing of code and tools between cybercriminals, or there could be individuals that\r\nworked for both ransomware operators:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 9 of 13\n\nBlackCat and LockBit Infrastructure map\r\nCYBEREASON DETECTION AND PREVENTION\r\nThe Cybereason XDR Platform is able to prevent the execution of the BlackCat Ransomware using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and next-gen antivirus\r\n(NGAV) capabilities. \r\nAdditionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are\r\nable to detect and prevent any attempt to encrypt files and generates a MalOp for it:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 10 of 13\n\nCybereason Detects and Blocks BlackCat Ransomware\r\nSECURITY RECOMMENDATIONS\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware\r\nprotection mode to Prevent - more information for Cybereason customers can be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent\r\nand set the detection mode to Moderate and above - more information for Cybereason customers can be\r\nfound here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to\r\nregain access to your data\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering,\r\nand mail filtering\r\nMITRE ATT\u0026CK BREAKDOWN\r\nReconnaissance Execution\r\nPrivilege\r\nEscalation\r\nDiscovery\r\nLateral \r\nMovement\r\nCollection Impact\r\nGather Victim\r\nHost Information\r\nCommand-line\r\ninterface\r\nSigned\r\nBinary Proxy\r\nExecution\r\nProcess\r\nDiscovery\r\nLateral\r\nTool\r\nTransfer\r\nData from\r\nLocal\r\nSystem\r\nData\r\nEncrypted\r\nfor Impact\r\n   \r\nAccess Token\r\nManipulation\r\nSystem\r\nService\r\nDiscovery\r\n   \r\nService\r\nStop\r\n   \r\nExploitation\r\nfor Privilege\r\nEscalation\r\nFile and\r\nDirectory\r\nDiscovery\r\n   \r\nInhibit\r\nSystem\r\nRecovery\r\nAppendix\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 11 of 13\n\nProcess to kill list:\r\nagntsvc , dbeng50 , dbsnmp , encsvc , excel , firefox , infopath , isqlplussvc , msaccess , mspub , mydesktopqos ,\r\nmydesktopservice , notepad , ocautoupds , ocomm , ocssd , onenote , oracle , outlook , powerpnt , sqbcoreservice ,\r\nsql , steam , synctime , tbirdconfig , thebat , thunderbird , visio , winword , wordpad , xfssvccon , *sql* , bedbh ,\r\nvxmon , benetns , bengien , pvlsvr , beserver , raw_agent_svc , vsnapvss , CagService , QBIDPService ,\r\nQBDBMgrN , QBCFMonitorService , SAP , TeamViewer_Service , TeamViewer , tv_w32 , tv_x64 , CVMountd ,\r\ncvd , cvfwd , CVODS , saphostexec , saposcol , sapstartsrv , avagent , avscc , DellSystemDetect , EnterpriseClient\r\n, VeeamNFSSvc , VeeamTransportSvc , VeeamDeploymentSvc \r\nServices to kill list:\r\nmepocs , memtas , veeam , svc$ , backup , sql , vss , msexchange , sql$ , mysql , mysql$ , sophos , MSExchange ,\r\nMSExchange$ , WSBExchange , PDVFSService , BackupExecVSSProvider , BackupExecAgentAccelerator ,\r\nBackupExecAgentBrowser , BackupExecDiveciMediaService , BackupExecJobEngine ,\r\nBackupExecManagementService , BackupExecRPCService , GxBlr , GxVss , GxClMgrS , GxCVD , GxCIMgr ,\r\nGXMMM , GxVssHWProv , GxFWD , SAPService , SAP , SAP$ , SAPD$ , SAPHostControl , SAPHostExec ,\r\nQBCFMonitorService , QBDBMgrN , QBIDPService , AcronisAgent , VeeamNFSSvc ,\r\nVeeamDeploymentService , VeeamTransportSvc , MVArmor , MVarmor64 , VSNAPVSS , AcrSch2Svc\r\nAbout the Researchers\r\nTom Fakterman\r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting\r\ncritical networks and incident response. Tom has experience in researching malware, computer forensics and\r\ndeveloping scripts and tools for automated cyber investigations.\r\nOhav Peri\r\nOhav Peri, cyber security analyst with the Cybereason Nocturnus Research Team, focusing on malware analysis\r\nand defense platforms research. Ohav began his career as a security researcher and software engineer in the\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 12 of 13\n\nintelligence corps of the military forces.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"
	],
	"report_names": [
		"cybereason-vs.-blackcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71135994d0530558ed00489163eb2ffd49245845.pdf",
		"text": "https://archive.orkl.eu/71135994d0530558ed00489163eb2ffd49245845.txt",
		"img": "https://archive.orkl.eu/71135994d0530558ed00489163eb2ffd49245845.jpg"
	}
}