{ "id": "f96c6df2-5d4d-42ff-b931-601c2addb268", "created_at": "2026-04-06T00:15:37.242051Z", "updated_at": "2026-04-10T03:34:25.025579Z", "deleted_at": null, "sha1_hash": "a0fbf8584660c6e2147696e1929aafbbd5de3fb5", "title": "The many lives of BlackCat ransomware | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 758913, "plain_text": "The many lives of BlackCat ransomware | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-06-13 · Archived: 2026-04-05 14:55:32 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0237 is now tracked as Pistachio Tempest and DEV-504 is now tracked as\r\nVelvet Tempest.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nThe BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing\r\nransomware as a service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language\r\n(Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While\r\nBlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is\r\nencrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the\r\npublic if the ransom isn’t paid.\r\nFirst observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware\r\nfamilies written in the Rust programming language. By using a modern language for its payload, this ransomware\r\nattempts to evade detection, especially by conventional security solutions that might still be catching up in their\r\nability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and\r\noperating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare\r\ninstances.\r\nAs we previously explained, the RaaS affiliate model consists of multiple players: access brokers, who\r\ncompromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who\r\nperform other activities like moving laterally across the network and exfiltrating data before ultimately launching\r\nthe ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies,\r\ndepending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat\r\nactors include remote desktop applications and compromised credentials, we also saw a threat actor leverage\r\nExchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now\r\nadopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504\r\n(previously deployed Ryuk, REvil, BlackMatter, and Conti).\r\nSuch variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose\r\nchallenges in detecting and defending against it because these actors and groups have different tactics, techniques,\r\nand procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 1 of 13\n\nMicrosoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the\r\nAmericas, Asia, and Europe.\r\nHuman-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the\r\nattackers’ preferred methods to monetize their attacks. Organizations should consider complementing their\r\nsecurity best practices and policies with a comprehensive solution like Microsoft 365 Defender, which offers\r\nprotection capabilities that correlate various threat signals to detect and block such attacks and their follow-on\r\nactivities.\r\nIn this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into\r\ntwo incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat\r\nactivity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect\r\ntheir organizations against this threat, including hunting queries and product-specific mitigations.\r\nBlackCat’s anatomy: Payload capabilities\r\nAs mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use\r\nof a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their\r\npayloads in their attempt to not only avoid detection by conventional security solutions but also to challenge\r\ndefenders who may be trying to reverse engineer the said payloads or compare them to similar threats.\r\nBlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities,\r\nincluding self-propagation configurable by an affiliate for their usage and to environment encountered.\r\nIn the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload\r\nwas launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These\r\ncommands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.\r\nThe flags used by the attackers and the options available were the following: -s -d -f -c; –access-token; –\r\npropagated; -no-prop-servers\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 2 of 13\n\nFigure 1. BlackCat payload deployment options\r\nCommand Description\r\n[service name] /stop\r\nStops running\r\nservices to allow\r\nencryption of data  \r\nvssadmin.exe Delete Shadows /all /quiet\r\nDeletes backups to\r\nprevent recovery\r\nwmic.exe Shadowcopy Delete\r\nDeletes shadow\r\ncopies\r\nwmic csproduct get UUID\r\nGets the Universally\r\nUnique Identifier\r\n(UUID) of the target\r\ndevice\r\nreg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\r\n\\LanmanServer\\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD\r\n/f\r\nModifies the registry\r\nto change\r\nMaxMpxCt settings;\r\nBlackCat does this to\r\nincrease the number\r\nof outstanding\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 3 of 13\n\nrequests allowed (for\r\nexample, SMB\r\nrequests when\r\ndistributing\r\nransomware via its\r\nPsExec\r\nmethodology)\r\nfor /F \\”tokens=*\\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl\r\n\\”%1\\”\r\nClears event logs\r\nfsutil behavior set SymlinkEvaluation R2L:1\r\nAllows remote-to-local symbolic links;\r\na symbolic link is a\r\nfile-system object\r\n(for example, a file\r\nor folder) that points\r\nto another file\r\nsystem object, like a\r\nshortcut in many\r\nways but more\r\npowerful\r\nfsutil behavior set SymlinkEvaluation R2R:1\r\nAllows remote-to-remote symbolic\r\nlinks\r\nnet use \\\\[computer name]  /user:[domain]\\[user] [password]\r\n/persistent:no\r\nMounts network\r\nshare\r\nTable 1. List of commands the BlackCat payload can run\r\nUser account control (UAC) bypass\r\nBlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under\r\ndllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.\r\nDomain and device enumeration\r\nThe ransomware can determine the computer name of the given system, local drives on a device, and the AD\r\ndomain name and username on a device. The malware can also identify whether a user has domain admin\r\nprivileges, thus increasing its capability of ransoming more devices.\r\nSelf-propagation\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 4 of 13\n\nBlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name\r\nService (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself\r\non the answering servers using the credentials specified within the config via PsExec.\r\nHampering recovery efforts\r\nBlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might\r\nbe launched by the payload, as well as their purposes:\r\nModify boot loader\r\n“C:\\Windows\\system32\\cmd.exe” /c “bcdedit /set {default}”\r\n“C:\\Windows\\system32\\cmd.exe” /c “bcdedit /set {default} recoveryenabled No”\r\nDelete volume shadow copies\r\n“C:\\Windows\\system32\\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”\r\n“C:\\Windows\\system32\\cmd.exe” /c “wmic.exe Shadowcopy Delete”\r\nClear Windows event logs\r\n“C:\\Windows\\system32\\cmd.exe” /c “cmd.exe /c  for /F \\”tokens=*\\” Incorrect function. in (‘\r\nwevtutil.exe el ‘) DO wevtutil.exe cl \\”Incorrect function. \\””\r\nSlinking its way in: Identifying attacks that can lead to BlackCat ransomware\r\nConsistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing\r\ncampaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to\r\ndeploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the\r\nransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly\r\ndifferent.\r\nFor example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers\r\nor used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of\r\nthese two incidents we’ve observed.\r\nCase study 1: Entry via unpatched Exchange\r\nIn one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target\r\norganization.\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 5 of 13\n\nFigure 2. Observed BlackCat ransomware attack chain via Exchange vulnerability exploitation\r\nDiscovery\r\nUpon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather\r\ninformation about the device they had compromised:\r\ncmd.exe and the commands ver and systeminfo – to collect operating system information\r\nnet.exe – to determine domain computers, domain controllers, and domain admins in the environment\r\nAfter executing these commands, the attackers navigated through directories and discovered a passwords folder\r\nthat granted them access to account credentials they could use in the subsequent stages of the attack. They also\r\nused the del command to delete files related to their initial compromise activity.\r\nThe attackers then mounted a network share using net use and the stolen credentials and began looking for\r\npotential lateral movement targets using a combination of methods. First, they used WMIC.exe using the\r\npreviously gathered device name as the node, launched the command whoami /all, and pinged google.com to\r\ncheck network connectivity. The output of the results were then written to a .log file on the mounted share.\r\nSecond, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in\r\nevent.\r\nLateral movement\r\nTwo and a half days later, the attackers signed into one of the target devices they found during their initial\r\ndiscovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique\r\nthat didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened\r\nTaskmgr.exe, created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.\r\nThe attackers continued their previous discovery efforts using a PowerShell script version of ADRecon\r\n(ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD)\r\nenvironment. The attacker followed up this action with a net scanning tool that opened connections to devices in\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 6 of 13\n\nthe organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the\r\nattackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign\r\ninto these devices, once again using the compromised account credentials.\r\nThese behaviors continued for days, with the attackers signing into numerous devices throughout the organization,\r\ndumping credentials, and determining what devices they could access.\r\nCollection and exfiltration\r\nOn many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of\r\ndata from the organization, including domain settings and information and intellectual property. To do this, the\r\nattackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for\r\nexample, winlogon.exe, mstsc.exe).\r\nExfiltration of domain information to identify targets for lateral movement\r\nCollecting domain information allowed the attackers to progress further in their attack because the said\r\ninformation could identify potential targets for lateral movement or those that would help the attackers distribute\r\ntheir ransomware payload. To do this, the attackers once again used ADRecon.ps1with numerous PowerShell\r\ncmdlets such as the following:\r\nGet-ADRGPO – gets group policy objects (GPO) in a domain\r\nGet-ADRDNSZone – gets all DNS zones and records in a domain\r\nGet-ADRGPLink – gets all group policy links applied to a scope of management in a domain\r\nAdditionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers,\r\norganizational units, and trust information, as well as pinged dozens of devices to check connectivity.\r\nExfiltration for double extortion\r\nIntellectual property theft likely allowed the attackers to threaten the release of information if the subsequent\r\nransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted\r\nand collected data from SQL databases. They also navigated through directories and project folders, among others,\r\nof each device they could access, then exfiltrated the data they found in those. \r\nThe exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large\r\nvolumes of information that they could then use for double extortion.\r\nEncryption and ransom\r\nIt was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment,\r\nthus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of\r\naccess an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to\r\nbe the most common attack method.\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 7 of 13\n\nFigure 3. Ransom note displayed by BlackCat upon successful infection\r\nCase study 2: Entry via compromised credentials\r\nIn another incident we observed, we found that a ransomware affiliate gained initial access to the environment via\r\nan internet-facing Remote Desktop server using compromised credentials to sign in.\r\nFigure 4. Observed BlackCat ransomware attack chain via stolen credentials\r\nLateral movement\r\nOnce the attackers gained access to the target environment, they then used SMB to copy over and launch the Total\r\nDeployment Software administrative tool, allowing remote automated software deployment. Once this tool was\r\ninstalled, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software\r\napplication.\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 8 of 13\n\nCredential theft\r\nScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With\r\nthe device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via\r\nWDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the\r\nTask Manager to dump the LSASS.exe process to steal the password, now in cleartext.\r\nEight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they\r\ndropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond\r\nthose stored in LSASS.exe. The attackers then signed out.\r\nPersistence and encryption\r\nA day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a\r\ncommand prompt process and then added a user account to the device using net.exe. The new user was then added\r\nto the local administrator group via net.exe.\r\nAfterward, the attackers signed in using their newly created user account and began dropping and launching the\r\nransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect\r\nand their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware\r\nadversaries are not above ransoming the same organization twice if access is not fully remediated.\r\nChrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included\r\nthe organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the\r\nattackers launched the BlackCat payload on the device to encrypt its data.\r\nRansomware affiliates deploying BlackCat\r\nApart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated\r\nwith ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS\r\naffiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations,\r\nsuch adoption further adds to the challenge of detecting related threats.\r\nMicrosoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its\r\ndistribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of\r\ndistributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is\r\nsuspected to be due to the public discourse around the latter’s decryption methodologies.\r\nDEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks.\r\nLike many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:\r\nEntry vector that can involve the affiliate remotely signing into devices with compromised credentials,\r\nsuch as into devices running software solutions that allow for remote work\r\nThe attackers’ use of their access to conduct discovery on the domain\r\nLateral movement that potentially uses the initial compromised account\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 9 of 13\n\nCredential theft with tools like Mimikatz and Rubeus\r\nDEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such\r\nas StealBit—often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload.\r\nThe group has been observed delivering the following ransom families before their adoption of BlackCat\r\nbeginning December 2021:\r\nBlackMatter\r\nConti\r\nLockBit 2.0\r\nRevil\r\nRyuk\r\nDefending against BlackCat ransomware\r\nToday’s ransomware attacks have become more impactful because of their growing industrialization through the\r\nRaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the\r\nBlackCat ransomware leverage these two factors, making this threat durable against conventional security and\r\ndefense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while\r\ngood, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks\r\nthey’re deployed or the attackers they work for.\r\nInstead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above,\r\nwhile attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks\r\ncontinue to take advantage of an organization’s poor credential hygiene and legacy configurations or\r\nmisconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by\r\nhardening their networks through various best practices such as access monitoring and proper patch management.\r\nWe provide detailed steps on building these defensive strategies against ransomware in this blog.\r\nIn the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via\r\ncompromised credentials to access internet-facing remote access software and unpatched Exchange servers.\r\nTherefore, defenders should review their organization’s identity posture, carefully monitor external access, and\r\nlocate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact,\r\nreputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not\r\nworth forgoing downtime, service interruption, and other pain points related to applying security updates and\r\nimplementing best practices.\r\nLeveraging Microsoft 365 Defender’s comprehensive threat defense capabilities\r\nMicrosoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other\r\nsimilar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of\r\ndynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps.\r\nMicrosoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent\r\nattacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or\r\nmisconfigured devices across different platforms; such capabilities could help detect and block possible\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 10 of 13\n\nexploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets\r\ndefenders create custom detections to proactively surface this ransomware and other related threats.\r\nAdditional mitigations and recommendations\r\nDefenders can also follow the following steps to reduce the impact of this ransomware:\r\nTurn on Microsoft Defender Antivirus. Turn on cloud-delivered protection in Microsoft Defender Antivirus\r\nor the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a large amount of new and unknown variants.\r\nEnforce strong, randomized local administrator passwords. Use tools like Local Administrator Password\r\nSolution (LAPS).\r\nRequire multifactor authentication (MFA) for local device access, RDP access, and remote connections\r\nthrough virtual private networks (VPNs) and Outlook Web Access. Solutions like Windows Hello or Fast\r\nID Online (FIDO) v2.0 security keys let users sign in using biometrics and/or a physical key or device.\r\nTurn on Microsoft Defender Firewall.\r\nImplement controlled folder access to help prevent files from being altered or encrypted by ransomware.\r\nSet controlled folder access to Enabled or Audit mode.\r\nInvestigate and remediate vulnerabilities in Exchange servers. Also, determine if implementing the\r\nExchange Emergency Mitigation service is feasible for your environment. This service helps keep your\r\nExchange servers secure by applying mitigations to address potential threats against your servers.\r\nMicrosoft 365 Defender customers can also apply the additional mitigations below:\r\nUse advanced protection against ransomware.\r\nTurn on tamper protection in Microsoft Defender for Endpoint to prevent malicious changes to security\r\nsettings. Enable network protection in Microsoft Defender for Endpoint and Microsoft 365 Defender to\r\nprevent applications or users from accessing malicious domains and other malicious content on the\r\ninternet.\r\nEnsure Exchange servers have applied the mitigations referenced in the related Threat Analytics report.\r\nTurn on the following attack surface reduction rules to block or audit activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nBlock process creations originating from PSExec and WMI commands\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nFor a full list of ransomware mitigations regardless of threat, refer to this article: Rapidly protect against\r\nransomware and extortion.\r\nLearn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft\r\nDefender 365.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nAppendix\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 11 of 13\n\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nRansom:Win32/BlackCat!MSR\r\nRansom:Win32/BlackCat.MK!MTB\r\nRansom:Linux/BlackCat.A!MTB\r\nMicrosoft Defender for Endpoint EDR\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nAn active ‘BlackCat’ ransomware was detected\r\n‘BlackCat’ ransomware was detected\r\nBlackCat ransomware\r\nHunting queries\r\nMicrosoft 365 Defender\r\nTo locate possible ransomware activity, run the following queries.\r\nSuspicious process execution in PerfLogs path\r\nUse this query to look for processes executing in PerfLogs—a common path used to place the ransomware\r\npayloads.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFolderPath has \"PerfLogs\"\r\n| where InitiatingProcessFileName matches regex \"[a-z]{3}.exe\"\r\n| extend Length = strlen(InitiatingProcessFileName)\r\n| where Length == 7\r\nSuspicious registry modification of MaxMpxCt parameters\r\nUse this query to look for suspicious running processes that modify registry settings to increase the number of\r\noutstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec\r\nmethodology).\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all(\"LanmanServer\", \"parameters\", \"MaxMpxCt\", \"65535\")\r\nSuspicious command line indicative of BlackCat ransom payload execution\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 12 of 13\n\nUse these queries to look for instances of the BlackCat payload executing based on a required command argument\r\nfor it to successfully encrypt ‘–access-token’.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all(\"--access-token\", \"-v\")\r\n| extend CommandArguments = split(ProcessCommandLine, \" \")\r\n| mv-expand CommandArguments\r\n| where CommandArguments matches regex \"^[A-Fa-f0-9]{64}$\"\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has \"--access-token\"\r\n| where ProcessCommandLine has \"get uuid\"\r\nSuspected data exfiltration\r\nUse this query to look for command lines that indicate data exfiltration and the indication that an attacker may\r\nattempt double extortion.\r\nDeviceNetworkEvents\r\n| where InitiatingProcessCommandLine has_all(\"copy\", \"--max-age\", \"--ignore-existing\", \"--multi-thread-streams\", \"--transfers\") and InitiatingProcessCommandLine has_any(\"ftp\", \"ssh\", \"-q\")\r\nSource: http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nhttp://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" ], "report_names": [ "the-many-lives-of-blackcat-ransomware" ], "threat_actors": [ { "id": "76e1fb02-1ceb-4fe5-8a68-456f0d4c62a4", "created_at": "2024-02-02T02:00:04.037062Z", "updated_at": "2026-04-10T02:00:03.535409Z", "deleted_at": null, "main_name": "Velvet Tempest", "aliases": [ "DEV-0504" ], "source_name": "MISPGALAXY:Velvet Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434537, "ts_updated_at": 1775792065, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0fbf8584660c6e2147696e1929aafbbd5de3fb5.pdf", "text": "https://archive.orkl.eu/a0fbf8584660c6e2147696e1929aafbbd5de3fb5.txt", "img": "https://archive.orkl.eu/a0fbf8584660c6e2147696e1929aafbbd5de3fb5.jpg" } }