{ "id": "0804de34-f6ca-4bd8-b03f-dc38d552f42e", "created_at": "2026-04-06T02:10:40.620466Z", "updated_at": "2026-04-10T03:33:15.618063Z", "deleted_at": null, "sha1_hash": "9f050b8452d7b63e4d794f66cc4f6c525c51b3a3", "title": "ALPHV BlackCat - This year's most sophisticated ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2368951, "plain_text": "ALPHV BlackCat - This year's most sophisticated ransomware\r\nBy Lawrence Abrams\r\nPublished: 2021-12-09 · Archived: 2026-04-06 02:08:45 UTC\r\nThe new ALPHV ransomware operation, aka BlackCat, launched last month and could be the most sophisticated\r\nransomware of the year, with a highly-customizable feature set allowing for attacks on a wide range of corporate\r\nenvironments.\r\nThe ransomware executable is written in Rust, which is not typical for malware developers but is slowly increasing in\r\npopularity due to its high performance and memory safety.\r\nMalwareHunterTeam found the new ransomware and told BleepingComputer that the first ID Ransomware submission for\r\nthe new operation was on November 21st.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 1 of 9\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 2 of 9\n\nVisit Advertiser websiteGO TO PAGE\r\nThe ransomware is named by the developers as ALPHV and is being promoted on Russian-speaking hacking forums.\r\nALPHV RaaS promoted on Russian-speaking hacking forum\r\nSource: Twitter\r\nMalwareHunterTeam named the ransomware BlackCat due to the same favicon of a black cat being used on every victim's\r\nTor payment site, while the data leak site uses a bloody dagger, shown below.\r\nFavicons used on Tor payment and data leak sites\r\nLike all ransomware-as-a-service (RaaS) operations, the ALPHV BlackCat operators recruit affiliates to perform corporate\r\nbreaches and encrypt devices.\r\nIn return, affiliates will earn varying revenue shares based on the size of a ransom payment. For example, for ransom\r\npayments up to $1.5 million, the affiliate earns 80%, 85% for up to $3 million, and 90% of payments over $3 million.\r\nTo illustrate the type of money an affiliate can earn from these RaaS programs, CNA reportedly paid a $40 million ransom\r\nto the Russian hacking group Evil Corp.  Under ALPHV's revenue share, this would equate to $36 million paid to the\r\naffiliate.\r\nExploring the features of the ALPHV BlackCat ransomware\r\nThe ALPHV BlackCat ransomware includes numerous advanced features that let it stand out from other ransomware\r\noperations. In this section, we will take a look at the ransomware and how it operates, and demonstrate a test encryption\r\nfrom a sample shared with BleepingComputer.\r\nThe ransomware is entirely command-line driven, human-operated, and highly configurable, with the ability to use different\r\nencryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi\r\nsnapshots to prevent recovery.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 3 of 9\n\nThese configurable options can be found using the --help command-line argument, shown below.\r\nALPHV BlackCat ransomware command-line arguments\r\nSource: BleepingComputer\r\nEach ALPHV ransomware executable includes a JSON configuration that allows customization of extensions, ransom notes,\r\nhow data will be encrypted, excluded folders/files/extensions, and the services and processes to be automatically terminated.\r\nAccording to the threat actor, the ransomware can be configured to use four different encryption modes, as described in their\r\n\"recruitment\" post on a dark web hacking forum.\r\nThe software is written from scratch without using any templates or previously leaked source codes of other ransomware.\r\nThe choice is offered:\r\n4 encryption modes:\r\n-Full - full file encryption. The safest and slowest.\r\n-Fast - encryption of the first N megabytes. Not recommended for use, the most unsafe possible solution, but the fastest.\r\n-DotPattern - encryption of N megabytes through M step. If configured incorrectly, Fast can work worse both in speed and\r\nin cryptographic strength.\r\n-Auto. Depending on the type and size of the file, the locker (both on windows and * nix / esxi) chooses the most optimal (in\r\nterms of speed / security) strategy for processing files.\r\n-SmartPattern - encryption of N megabytes in percentage steps. By default, it encrypts 10 megabytes every 10% of the file\r\nstarting from the header. The most optimal mode in the ratio of speed / cryptographic strength.\r\n2 encryption algorithms:\r\n-ChaCha20\r\n-AES\r\nIn auto mode, the software detects the presence of AES hardware support (exists in all modern processors) and uses it. If\r\nthere is no AES support, the software encrypts files ChaCha20.\r\nALPHV BlackCat can also be configured with domain credentials that can be used to spread the ransomware and encrypt\r\nother devices on the network. The executable will then extract PSExec to the %Temp% folder and use it to copy the\r\nransomware to other devices on the network and execute it to encrypt the remote Windows machine.\r\nWhen launching the ransomware, the affiliate can use a console-based user interface that allows them to monitor the\r\nprogression of the attack. In the image below, you can see this interface displayed while BleepingComputer encrypted a test\r\ndevice using a modified executable to append the .bleepin extension.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 4 of 9\n\nEncrypting a test computer\r\nSource: BleepingComputer\r\nIn the sample tested by BleepingComputer, the ransomware will terminate processes and Windows services that could\r\nprevent files from being encrypted. These terminated processes include Veeam, backup software, database servers, Microsoft\r\nExchange, Office applications, mail clients, and the Steam process not to leave gamers out.\r\nOther actions taken during this \"setup\" process include the clearing of Recycle Bin, deleting Shadow Volume Copies,\r\nscanning for other network devices, and connecting to a Microsoft cluster if one exists.\r\nALPHV BlackCat also uses the Windows Restart Manager API to close processes or shut down Windows services keeping a\r\nfile open during encryption.\r\nUsually, when encrypting a device, the ransomware will use a random name extension, which is appended to all files and\r\nincluded in the ransom note. Ransom notes are named in the format 'RECOVER-[extension]-FILES.txt', which in our\r\nexample above is RECOVER-bleepin-FILES.txt.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 5 of 9\n\nALPHV BlackCat ranson note\r\nSource: BleepingComputer\r\nRansom notes are preconfigured by the affiliate performing the attack and are different for each victim. Some ransom notes\r\ninclude the types of data stolen and a link to a Tor data leak site where the victims can preview stolen data.\r\nEach victim also has a unique Tor site and sometimes a unique data leak site, allowing the affiliate to conduct their own\r\nnegotiations.\r\nFinally, BlackCat claims to be cross-platform with support for multiple operating systems.\r\nCross-platform software, i.e. if you mount Windows disks in Linux or vice versa, the decryptor will be able to\r\ndecrypt the files. - ALPHV operator.\r\nOperating systems that the threat actors allegedly tested their ransomware on are included below:\r\nAll line of Windows from 7 and higher (tested on 7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003 can\r\nbe encrypted over SMB.\r\nESXI (tested on 5.5, 6.5, 7.0.2u)\r\nDebian (tested on 7, 8, 9);\r\nUbuntu (tested on 18.04, 20.04)\r\nReadyNAS, Synology\r\nRansomware expert and ID Ransomware creator Michael Gillespie has analyzed the encryption routine used by the\r\nransomware and, unfortunately, was not able to find any weaknesses that could allow free decryption.\r\nAccess-token feature makes negotiations secret\r\nA long-standing problem affecting both victims and ransomware operations is that samples commonly get leaked through\r\nmalware analysis sites, allowing full access to the negotiation chat between a ransomware gang and their victim.\r\nIn some cases, this has led to unrelated parties commenting in the chat and disrupting negotiations.\r\nTo prevent this from happening, the ALPHV BlackCat ransomware developers introduced an  --access-token=\r\n[access_token]  command-line argument that must be used when launching the encryptor.\r\nThis access token is used to create the access key needed to enter a negotiation chat on the ransomware gang's Tor payment\r\nsite. As this token is not included in the malware sample, even if it is uploaded to a malware analysis site, researchers will\r\nnot use it to access a negotiation site without the ransom note from the actual attack.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 6 of 9\n\nRansoms range from $400k to millions of dollars\r\nBleepingComputer is aware of multiple victims targeted by this ransomware since November from numerous countries,\r\nincluding the USA, Australia, and India.\r\nRansom demands range between $400,000 to $3 million payable in Bitcoin or Monero. However, if victims pay in bitcoin\r\nthere is an additional 15% fee added to the ransom.\r\nALPHV Tor Payment Site\r\nSource: BleepingComputer\r\nHowever, as Monero is considered a privacy coin and frowned upon by the US government, it is not as easily accessible to\r\nvictims.\r\nUnlike other ransomware operations who have been threatening to wipe or publish data if negotiation firms are hired,\r\nALPHV is catering to ransomware negotiators with a \"Intermediary\" login page to conduct private negotiations.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 7 of 9\n\nRansomware negotiation login page\r\nSource: BleepingComputer\r\nLike other newer ransomware gangs, ALPHV uses a triple-extortion tactic where they steal data before encrypting devices\r\nand threat to publish the data if a ransom is not paid. BleepingComputer has seen multiple data leaks sites for this operation\r\nwhere screenshots of data have been published.\r\nAs an additional extortion method, the threat actors threaten to DDoS victims until they pay a ransom.\r\nOverall, this is a highly sophisticated ransomware with the threat actors clearly considering all aspects of attacks.\r\nWith the BlackMatter and REvil ransomware operations shutting down under pressure from law enforcement, it has left a\r\nlarge void waiting for another threat actor to fill.\r\nIt is very likely that ALPHV BlackCat is the one that has a good chance of filling it.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 8 of 9\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/" ], "report_names": [ "alphv-blackcat-this-years-most-sophisticated-ransomware" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441440, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9f050b8452d7b63e4d794f66cc4f6c525c51b3a3.pdf", "text": "https://archive.orkl.eu/9f050b8452d7b63e4d794f66cc4f6c525c51b3a3.txt", "img": "https://archive.orkl.eu/9f050b8452d7b63e4d794f66cc4f6c525c51b3a3.jpg" } }