{ "id": "845a941f-cc8e-4840-bbd0-9eb6072604e6", "created_at": "2026-04-06T00:21:04.009157Z", "updated_at": "2026-04-10T03:35:21.397948Z", "deleted_at": null, "sha1_hash": "928eec9e4a9544b5135ba6a1d867e1f52e64d54b", "title": "BlackCat Ransomware: Tactics and Techniques From a Targeted Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 148871, "plain_text": "BlackCat Ransomware: Tactics and Techniques From a Targeted\r\nAttack\r\nBy Gustavo Palazolo\r\nPublished: 2022-11-09 · Archived: 2026-04-02 10:57:28 UTC\r\nSummary\r\nBlackCat (a.k.a. ALPHV and Noberus) is a Ransomware-as-a-Service (RaaS) group that emerged in November\r\n2021, making headlines for being a sophisticated ransomware written in Rust. It has both Windows and Linux\r\nvariants and the payload can be customized to adapt to the attacker’s needs. BlackCat is also believed to be the\r\nsuccessor of the Darkside and BlackMatter ransomware groups. They work with a double-extortion scheme,\r\nwhere data is stolen, encrypted, and leaked if the ransom isn’t paid, which is a common methodology\r\nimplemented by RaaS groups. \r\nAccording to Microsoft, BlackCat was found targeting different countries and regions in Africa, the Americas,\r\nAsia, and Europe, having at least two known affiliates: DEV-0237 (previously associated with Ryuk, Conti, and\r\nHive), and DEV-0504 (previously associated with Ryuk, REvil, BlackMatter, and Conti). However, due to the\r\ndiversity of affiliates and targets, BlackCat may present different TTPs across the attacks. Recently, in September\r\n2022, BlackCat claimed to have breached a contractor that provides services to the U.S. Department of Defense\r\nand other government agencies. \r\nIn this blog post, we will analyze BlackCat and show some of the tactics and techniques we found in a recent\r\nransomware incident analyzed by Netskope Threat Labs. The evidence shows that this was a targeted attack,\r\nwhere the attackers were mainly focused on stealing sensitive data from the organization and infecting as many\r\ndevices as possible.\r\nIn a recent incident analyzed by Netskope Threat Labs, the attackers breached a contractor who had access to a\r\nvirtual desktop machine within the corporate network.\r\nThe attacker used a malicious browser extension to capture the contractor’s account. Since there was no MFA\r\nrequired, the attacker was able to login to the virtual desktop, escalate privileges, and move to other devices in the\r\ncorporate network.\r\nPayload Execution\r\nAfter scanning the corporate network, BlackCat attackers created multiple text files, each one containing the\r\nnames of identified machines in the network.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 1 of 31\n\nFiles with names of machines identified by the attackers.\r\nThen, they used PsExec and a compromised domain account to deploy ExMatter to more than 2,000 machines in\r\nthe network.\r\nDetails of PsExec binary used by BlackCat attackers.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 2 of 31\n\nThe attackers used batch files to execute multiple PsExec commands to deploy payloads to the identified\r\nmachines.\r\nBatch file executed by BlackCat attacker.\r\nBelow is an example of the command line executed by the attacker to remotely execute commands and payloads\r\nusing PsExec and the compromised account:\r\nstart PsExec.exe -d -n 5 @C:\\temp\\list01.txt -accepteula -u \u003cREDACTED_USER\u003e -p\r\n\u003cREDACTED_PASSWORD\u003e cmd /c \u003cCOMMAND_LINE\u003e\r\nThe description for the PsExec arguments used by the attacker can be found below:\r\nArgument Description\r\n-d Don't wait for process to terminate (non-interactive)\r\n-n 5 Wait 5 seconds when connecting to remote computers\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 3 of 31\n\nArgument Description\r\n@C:\\temp\\list01.txt\r\nFile containing the names of the computers in which PsExec will execute the\r\ncommand\r\n-accepteula Automatically accept the EULA to avoid displaying the dialog\r\n-u Username of the compromised account used by the attacker\r\n-p Password of the compromised account used by the attacker\r\ncmd /c Command-line executed by the attacker\r\nAmong other evidence, it’s possible to confirm whether PsExec was successfully executed in a device by checking\r\nthe following registry key.\r\nKey added by PsExec when the tool is executed.\r\nData Exfiltration\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 4 of 31\n\nIn this incident, the attackers used a .NET data exfiltration tool known as ExMatter, which was the same tool used\r\nby BlackMatter ransomware and recently adopted by BlackCat. It’s worth mentioning that the server used for data\r\nexfiltration in this incident was stood up by the attackers one day before the attack.\r\nThe specific sample from this incident was compiled close to the attack and contains a popular .NET protection\r\nnamed Confuser.\r\nSome details about the ExMatter tool used by BlackCat attackers.\r\nThe attacker tried to deploy this tool to over 2,000 machines in the network using PsExec, like described earlier.\r\nExMatter will iterate over the drives of infected machines to search for files that will be exfiltrated.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 5 of 31\n\nLogs from the ExMatter tool used by BlackCat.\r\nAs described earlier, this tool was recently updated by BlackCat, containing code refactoring and new\r\nfunctionalities. Despite the code changes, we can clearly observe similarities between a known ExMatter sample\r\nand the tool used in this attack.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 6 of 31\n\nComparing a known ExMatter tool with the binary found in the attack.\r\nExMatter contains a list with details about the types of files it will try to exfiltrate and directories to avoid. Also,\r\nthis tool is only stealing files between 4 KB and 64 MB.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 7 of 31\n\nTypes of files ExMatter will try to exfiltrate.\r\nIt will not exfiltrate data from the following directories:\r\nAppData\\Local\\Microsoft\r\nAppData\\Local\\Packages\r\nAppData\\Roaming\\Microsoft\r\nC:$Recycle.Bin\r\nC:\\Documents and Settings\r\nC:\\PerfLogs\r\nC:\\Program Files\r\nC:\\Program Files (x86)\r\nC:\\ProgramData\r\nC:\\Users\\All Users\\Microsoft\r\nC:\\Windows\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 8 of 31\n\nExMatter skipping directories from the pre-defined list.\r\nAs previously mentioned, it will only exfiltrate files that contains the following extensions and are within the file\r\nsize threshold:\r\n*.bmp\r\n*.doc\r\n*.docx\r\n*.dwg\r\n*.ipt\r\n*.jpeg\r\n*.jpg\r\n*.msg\r\n*.pdf\r\n*.png\r\n*.pst\r\n*.rdp\r\n*.rtf\r\n*.sql\r\n*.txt\r\n*.txt\r\n*.xls\r\n*.xlsx\r\n*.zip\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 9 of 31\n\nExMatter function that searches for files to exfiltrate.\r\nBy default, this specific sample is trying to communicate with an IP address via WebDav, initially sending a\r\nPROPFIND request.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 10 of 31\n\nExfiltration tool sending an initial request to the attacker’s server.\r\nThe WebDav methods implemented by this tool are: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,\r\nLOCK, and UNLOCK.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 11 of 31\n\nWebDav methods implemented in ExMatter.\r\nThis tool can also be executed in background (without showing the console) if “-background” or “-b” is\r\nspecified.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 12 of 31\n\nChecking if the “background” parameter was specified.\r\nData Encryption\r\nLike the ExMatter tool, the BlackCat payload was also compiled in July 2022. The attackers deployed the\r\nransomware to over 2,000 machines with the same technique described earlier, by using PsExec with a\r\ncompromised domain account.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 13 of 31\n\nSome of the binary details of BlackCat ransomware.\r\nBlackCat can be executed with different parameters, which can be found in its “help” menu.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 14 of 31\n\nBlackCat ransomware help menu.\r\nThe options offered by BlackCat ransomware are:\r\nParameter Description\r\n--access-token\r\nString used by BlackCat to validate the execution. It’s also used to decrypt BlackCat\r\nconfiguration in the latest version\r\n--bypass This parameter doesn’t seem to be implemented\r\n--child Run as child process\r\n--drag-and-drop Invoked with drag and drop\r\n--drop-drag-and-drop-target\r\nDrop drag and drop target batch file\r\n--extra-verbose Log more to console (Also forces process to run in attached mode)\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 15 of 31\n\nParameter Description\r\n-h, --help Print help information\r\n--log-file Enable logging to specified file\r\n--no-impers Do not spawn impersonated processes on Windows\r\n--no-net Do not discover network shares on Windows\r\n--no-prop Do not self propagate (worm) on Windows\r\n--no-prop-servers Do not propagate to defined servers\r\n--no-vm-kill Do not stop VMs on ESXi\r\n--no-vm-kill-names\r\nDo not stop defined VMs on ESXi\r\n--no-vm-snapshot-kill\r\nDo not wipe VMs snapshots on ESXi\r\n--no-wall Do not update desktop wallpaper on Windows\r\n-p, --paths Only process files inside defined paths\r\n--prop-file Propagate specified file\r\n--propagated Run as propagated process\r\n--safeboot Reboot in Safe Mode before running on Windows\r\n--safeboot-instance\r\nRun as safeboot instance on Windows\r\n--safeboot-network\r\nReboot in Safe Mode with Networking before running on Windows\r\n--sleep-restart\r\nSleep for duration in seconds after a successful run and then restart. (This is soft\r\npersistence, keeps process alive no longer then defined in --sleep-restart-duration, 24\r\nhours by default)\r\n--sleep-restart-duration\r\nKeep soft persistence alive for duration in seconds. (24 hours by default)\r\n--sleep-restart-untilKeep soft persistence alive until defined UTC time in millis. (Defaults to 24 hours since\r\nlaunch)\r\n--ui Show user interface\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 16 of 31\n\nParameter Description\r\n-v, --verbose Log to console\r\nAt this point, two versions of BlackCat’s encryptor were found in the wild. The first one was storing the\r\nransomware’s configuration in plain-text within the binary, which could be easily extracted and parsed. The\r\nsecond one started to encrypt the configuration, where the decryption key is passed via an argument named\r\n“access token”. In other words, the latest version of BlackCat cannot be executed or have its configuration\r\nextracted if the access token is unknown. \r\nThe version used in this specific attack is the latest one, which can be confirmed by running the sample without\r\nthe access key or with an random key, generating an “invalid config” error.\r\nBlackCat cannot be executed without the correct token created by the attacker.\r\nOnce running, the access key is then parsed and used to decrypt the configuration in runtime, using AES-128.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 17 of 31\n\nBlackCat ransomware decrypting the configuration with the token provided by the attacker.\r\nBlackCat ransomware’s configuration contains 23 fields:\r\nValue Description\r\nconfig_id Configuration ID (used by BlackCat to identify the target)\r\nextension Extension added to encrypted files\r\npublic_key RSA public key\r\nnote_file_name Name of the ransom note\r\nnote_full_text Full version of the ransom note\r\nnote_short_text Short version of the ransom note\r\ncredentials\r\nArray of compromised credentials used by BlackCat for privilege escalation\r\nand propagation via PsExec\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 18 of 31\n\nValue Description\r\ndefault_file_mode\r\nFile encryption mode, usually set as “Auto”. The “SmartPattern” value was\r\nalso found in the wild, which resulted in just some megabytes of the file\r\nbeing encrypted.\r\ndefault_file_cipher File encryption cipher, usually defined as “Best”, which uses AES.\r\nkill_services List of services to be terminated\r\nkill_processes List of processes to be terminated\r\nexclude_directory_names List of directories to exclude from the encryption process\r\nexclude_file_names List of files to exclude from the encryption process\r\nexclude_file_extensions List of extensions to exclude from the encryption process\r\nexclude_file_path_wildcard File paths to be excluded from the encryption process using wildcard\r\nenable_network_discovery Enable/disable network discovery\r\nenable_self_propagation Enable/disable self propagation via PsExec\r\nenable_set_wallpaper Enable/disable the wallpaper change\r\nenable_esxi_vm_kill Enable/disable VM termination on ESXi\r\nenable_esxi_vm_snapshot_kill Enable/disable snapshot deletion on ESXi\r\nstrict_include_paths Hardcoded file paths to encrypt\r\nesxi_vm_kill_exclude List of VMs to exclude on ESXi hosts\r\nsleep_restart Sleep time before restart\r\nAccording to the decrypted configuration of this specific sample, the ransomware tries to kill the following\r\nservices:\r\nagntsvc\r\ndbeng50\r\ndbsnmp\r\nencsvc\r\nexcel\r\nfirefox\r\ninfopath\r\nisqlplussvc\r\nmsaccess\r\nmspub\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 19 of 31\n\nmydesktopqos\r\nmydesktopservice\r\nnotepad\r\nocautoupds\r\nocomm\r\nocssd\r\nonenote\r\noracle\r\noutlook\r\npowerpnt\r\nsqbcoreservice\r\nsql\r\nsteam\r\nsynctime\r\ntbirdconfig\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nxfssvccon\r\n*sql*\r\nbedbh\r\nvxmon\r\nbenetns\r\nbengien\r\npvlsvr\r\nbeserver\r\nraw_agent_svc\r\nvsnapvss\r\nCagService\r\nQBIDPService\r\nQBDBMgrN\r\nQBCFMonitorService\r\nSAP\r\nTeamViewer_Service\r\nTeamViewer\r\ntv_w32\r\ntv_x64\r\nCVMountd\r\ncvd\r\ncvfwd\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 20 of 31\n\nCVODS\r\nsaphostexec\r\nsaposcol\r\nsapstartsrv\r\navagent\r\navscc\r\nDellSystemDetect\r\nEnterpriseClient\r\nVeeamNFSSvc\r\nVeeamTransportSvc\r\nVeeamDeploymentSvc\r\nThe ransomware does not encrypt files in the following directories:\r\nsystem volume information\r\nintel\r\n$windows.~ws\r\napplication data\r\n$recycle.bin\r\nmozilla\r\n$windows.~bt\r\npublic\r\nmsocache\r\nwindows\r\ndefault\r\nall users\r\ntor browser\r\nprogramdata\r\nboot\r\nconfig.msi\r\ngoogle\r\nperflogs\r\nappdata\r\nwindows.old\r\nIt has the following file name exclusion list:\r\ndesktop.ini\r\nautorun.inf\r\nntldr\r\nbootsect.bak\r\nthumbs.db\r\nboot.ini\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 21 of 31\n\nntuser.dat\r\niconcache.db\r\nbootfont.bin\r\nntuser.ini\r\nntuser.dat.log\r\nIt also skips the encryption on files with these extensions:\r\nthemepack\r\nnls\r\ndiagpkg\r\nmsi\r\nlnk\r\nexe\r\ncab\r\nscr\r\nbat\r\ndrv\r\nrtp\r\nmsp\r\nprf\r\nmsc\r\nico\r\nkey\r\nocx\r\ndiagcab\r\ndiagcfg\r\npdb\r\nwpx\r\nhlp\r\nicns\r\nrom\r\ndll\r\nmsstyles\r\nmod\r\nps1\r\nics\r\nhta\r\nbin\r\ncmd\r\nani\r\n386\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 22 of 31\n\nlock\r\ncur\r\nidx\r\nsys\r\ncom\r\ndeskthemepack\r\nshs\r\nldf\r\ntheme\r\nmpa\r\nnomedia\r\nspl\r\ncpl\r\nadv\r\nicl\r\nmsu\r\nThe following settings are also enabled according to the config file:\r\nNetwork Discovery\r\nSelf Propagation\r\nSet Wallpaper\r\nESXi VM Kill\r\nESXi VM Snapshot kill\r\nBlackCat also contains a “self propagation” functionality (worm), by using PsExec and compromised credentials\r\nspecified in the configuration. The PsExec binary is encrypted and stored within the ransomware executable.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 23 of 31\n\nPsExec binary embedded within the ransomware payload.\r\nThere’s also an option named “drag-and-drop”, which creates a batch file that can be used to execute the\r\nransomware. The content of this file is decrypted at runtime.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 24 of 31\n\nBatch file created by BlackCat.\r\nAdditional commands ran by BlackCat:\r\n1. Get device UUID\r\n“C:\\Windows\\system32\\cmd.exe” /c “wmic csproduct get UUID”\r\n2. Stop IIS service\r\n“C:\\Windows\\system32\\cmd.exe” /c “iisreset.exe /stop”\r\n3. Clean shadow copies\r\n“C:\\Windows\\system32\\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”\r\n“C:\\Windows\\system32\\cmd.exe” /c “wmic.exe Shadowcopy Delete”\r\n4. List Windows event logs names and try to clear them all.\r\n“C:\\Windows\\system32\\cmd.exe” /c “wevtutil.exe el”\r\n“C:\\Windows\\system32\\cmd.exe” /c “wevutil.exe cl \\”\u003cNameHere\u003e\\”\r\nIn this attack, we noticed that the attacker listed all the logs with the correct binary (wevtutil), but there’s a typo in\r\nthe commands that actually clear the logs (wevutil). In other words, the attacker failed to clean the Windows event\r\nlogs.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 25 of 31\n\nTypo in command line executed by the ransomware.\r\nThis ransomware encrypts files using AES or ChaCha20 depending on the configuration, and the key used to\r\nencrypt the file is encrypted with a public RSA key contained within its configuration. \r\nOnce done, the extension defined in the configuration is appended to encrypted files and, like other ransomware,\r\nBlackCat created the ransom note with information about the attack and contact instructions.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 26 of 31\n\nBlackCat ransom note.\r\nIf enabled in the configuration, the ransomware also changes the user’s wallpaper with the following message.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 27 of 31\n\nBlackCat wallpaper message.\r\nBlackCat’s Website\r\nLike other RaaS groups operating in the double-extortion scheme, BlackCat maintains a website hosted on the\r\ndeep web where they leak stolen data if the ransom isn’t paid by the victims.\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 28 of 31\n\nBlackCat “collections” website.\r\nThey are likely the first ransomware group that allows you to search leaked data through keywords, even\r\nsupporting wildcards.\r\nConclusions\r\nBlackCat and other Ransomware-as-a-Service (RaaS) groups often exploit basic flaws in security policies and\r\nnetwork architecture to infect as many devices as possible, stealing and encrypting data to extort organizations and\r\nindividuals. As demonstrated in this analysis, these groups often use legitimate tools throughout the attack, such as\r\nPsExec.\r\nWe strongly recommend companies revisit password policies and avoid using default passwords for new accounts.\r\nTechnologies such as Microsoft LAPS can help to generate unique passwords for local administrator accounts.\r\nImplementing a security policy to enforce multi-factor authentication and using strong passwords for domain\r\naccounts is also recommended. \r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 29 of 31\n\nImplementing strong monitoring and blocking known tools like PsExec can also help the security of your\r\norganization. User training is also strongly recommended as social engineering could be exploited by these groups\r\nto gain access to networks. Lastly, we also recommend using a secure web gateway to protect your network\r\nagainst malware and data exfiltration.\r\nTactics and Techniques\r\nAll the tactics and techniques observed in this analysis can be mapped with the MITRE ATT\u0026CK knowledge base\r\nas follows:\r\nTactic\r\nATT\u0026CK\r\nID\r\nDescription\r\nReconnaissance T1589.001 Gather Victim Identity Information: Credentials\r\nResource\r\nDevelopment\r\nT1587.001 Develop Capabilities: Malware\r\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities: Tool\r\nInitial Access T1078.002 Valid Accounts: Domain Accounts\r\nExecution T1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nPrivilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass UAC\r\nDefense Evasion T1222.001\r\nFile and Directory Permissions Modification: Windows File and\r\nDirectory Permissions Modification\r\nDefense Evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs\r\nDiscovery T1087.002 Account Discovery: Domain Account\r\nDiscovery T1083 File and Directory Discovery\r\nLateral Movement T1570 Lateral Tool Transfer\r\nCommand and\r\nControl\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nExfiltration T1048 Exfiltration Over Alternative Protocol\r\nImpact T1486 Data Encrypted for Impact\r\nImpact T1491.001 Defacement: Internal Defacement\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 30 of 31\n\nSource: https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack" ], "report_names": [ "blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "76e1fb02-1ceb-4fe5-8a68-456f0d4c62a4", "created_at": "2024-02-02T02:00:04.037062Z", "updated_at": "2026-04-10T02:00:03.535409Z", "deleted_at": null, "main_name": "Velvet Tempest", "aliases": [ "DEV-0504" ], "source_name": "MISPGALAXY:Velvet Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/928eec9e4a9544b5135ba6a1d867e1f52e64d54b.pdf", "text": "https://archive.orkl.eu/928eec9e4a9544b5135ba6a1d867e1f52e64d54b.txt", "img": "https://archive.orkl.eu/928eec9e4a9544b5135ba6a1d867e1f52e64d54b.jpg" } }