{ "id": "039b0515-1ac5-421f-b034-92273667e1ff", "created_at": "2026-04-06T02:12:58.196294Z", "updated_at": "2026-04-10T03:31:50.028807Z", "deleted_at": null, "sha1_hash": "b138f8883330c2006e9df2ccc4bf1a2c8531b683", "title": "ALPHV, BlackCat Gang - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126115, "plain_text": "ALPHV, BlackCat Gang - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-06 02:08:59 UTC\nHome \u003e List all groups \u003e ALPHV, BlackCat Gang\n APT group: ALPHV, BlackCat Gang\nNames\nALPHV (self given)\nALPHVM (self given)\nBlackCat Gang (?)\nUNC4466 (Mandiant)\nAmbitious Scorpius (Palo Alto)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2021\nDescription\n(Palo Alto) BlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and\nquickly gained notoriety for its sophistication and innovation. Operating a ransomware-as-a-service\n(RaaS) business model, BlackCat was observed soliciting for affiliates in known cybercrime forums,\noffering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment. The\nremainder would be paid to the BlackCat author.\nThe threat actors leveraging BlackCat, often referred to as the 'BlackCat gang,' utilize numerous tactics\nthat are becoming increasingly commonplace in the ransomware space. Notably, they use multiple\nextortion techniques in some cases, including the siphoning of victim data before ransomware\ndeployment, threats to release data if the ransom is not paid and distributed denial-of-service (DDoS)\nattacks.\nKnown affiliates are:\n1. Subgroup: Scattered Spider\nObserved Countries: Worldwide.\nTools used\nBlackCat, GO Simple Tunnel, Impacket, LaZagne, MEGAsync, Mimikatz, Munchkin, PsExec,\nRemcom, WebBrowserPassView.\nOperations performed\nDec 2021\nGlobal IT services provider Inetum hit by ransomware attack\nDec 2021\nFashion giant Moncler confirms data breach after ransomware attack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 1 of 7\n\nJan 2022\nBlackCat ransomware implicated in attack on German oil companies\nJan 2022\nString of cyberattacks on European oil and chemical sectors likely not coordinated,\nofficials say\nFeb 2022\nBlackCat (ALPHV) claims Swissport ransomware attack, leaks data\nApr 2022\nBlackCat, believed a rebranded version of the BlackMatter or DarkSide ransomware\ngroup, has claimed to have successfully targeted several organizations including a\npopular Nigerian betting platform Bet9ja, three universities - FIU, NCAT State\nUniversity, AIT-Thailand, and the largest natural gas supplier in Latin America - TGS, in\nthe past few days.\nMay 2022\nAustrian federal state Carinthia has been hit by the BlackCat ransomware gang, also\nknown as ALPHV, who demanded a $5 million to unlock the encrypted computer\nsystems.\nMay 2022\nLockbit, Hive, and BlackCat attack automotive supplier in triple ransomware attack\nJun 2022\nLouisiana authorities investigating ransomware attack on city of Alexandria\nJun 2022\nBlackCat Attacks University of Pisa, Demands $4.5M Ransom\nJun 2022\nRansomware gang creates site for employees to search for their stolen data\nJul 2022\nBlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands\nJul 2022\nBandai Namco confirms hack after ALPHV ransomware data leak threat\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 2 of 7\n\nJul 2022\nThe ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack\nagainst Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network\noperator in the central European country.\nAug 2022\nMajor airline technology provider Accelya attacked by ransomware group\nAug 2022\nThe BlackCat/ALPHV ransomware gang claimed responsibility for an attack that hit the\nsystems of Italy's energy agency Gestore dei Servizi Energetici SpA (GSE) over the\nweekend.\nSep 2022\n“BlackCat” attempts to up the pressure on Suffolk County; starts to leak data?\nSep 2022\nBlackCat said they breached US Department of Defense contractor and went offline\nOct 2022\nALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial\nAccess\nDec 2022\nColombian energy supplier EPM hit by BlackCat ransomware attack\nDec 2022\nToy maker Jakks Pacific reports cyberattack after multiple ransomware groups leak data\nDec 2022\nRansomware gang cloned victim’s website to leak stolen data\nJan 2023\nThe BlackCat Ransomware group claims to have hacked SOLAR INDUSTRIES INDIA\nand to have stolen 2TB of “secret military data.”\nJan 2023\nBlackCat Adds Indian Missile Fuel Maker to Its Victims List\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 3 of 7\n\nFeb 2023\nPennsylvania Health System CEO Confirms BlackCat Attack\nFeb 2023\nRansomware gang posts breast cancer patients’ clinical photographs\nFeb 2023\nReddit hackers threaten to leak data stolen in February breach\nMar 2023\nAmazon-owned Ring denies ‘ransomware event’ following darknet listing\nMar 2023\nIndian pharmaceutical giant warns of revenue loss, litigation after ransomware attack\nApr 2023\nAustralian Law Firm Hack Affected 65 Government Agencies\nMay 2023\nALPHV gang claims ransomware attack on Constellation Software\nMay 2023\nLegal services platform used by SEC, Pentagon investigating ransomware attack claims\nMay 2023\nNorton Healthcare discloses data breach after May ransomware attack\nJun 2023\nBlackCat ransomware fails to extort Australian commercial law giant\nJun 2023\nNow BlackCat extortionists threaten to leak stolen plastic surgery pics\nJun 2023\nBangladesh government website leaks citizens’ personal data\n\u003e\nJun 2023\nAlphV group takes credit for ransomware attack on Georgia county\nJul 2023\nBlackCat, Clop claim ransomware attack on cosmetics maker Estée Lauder\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 4 of 7\n\nJul 2023\nALPHV ransomware adds data leak API in new extortion strategy\nJul 2023\nJapanese watchmaker Seiko breached by BlackCat ransomware gang\nAug 2023\nMicrosoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom\nSep 2023\nBlackCat ransomware hits Azure Storage with Sphynx encryptor\nSep 2023\nAlphv group claims the hack of Clarion, a global manufacturer of audio and video\nequipment for cars\nSep 2023\nProduct leasing giant warns that sensitive information was stolen during cyberattack\nSep 2023\nLarge Michigan healthcare provider confirms ransomware attack\nSep 2023\nMotel One discloses data breach following ransomware attack\nOct 2023\nMcLaren Health Care says data breach impacted 2.2 million people\nOct 2023\nALPHV ransomware gang claims attack on Florida circuit court\nOct 2023\nThe Alphv ransomware gang stole 5TB of data from the Morrison Community Hospital\nOct 2023\nBlackCat Climbs the Summit With a New Tactic\nOct 2023\nAnother small firm suffers a serious ransomware attack: Cadre Services gets mauled by\nAlphV\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 5 of 7\n\nOct 2023\nBlackCat ransomware claims breach of healthcare giant Henry Schein\nOct 2023\nAdvarra hacked, threat actors threatening to leak data\nNov 2023\nAlphV files an SEC complaint against MeridianLink for not disclosing a breach to the\nSEC\nNov 2023\nNotorious ransomware gang takes credit for cyberattack on Fidelity National Financial\nNov 2023\nThe big bad BlackCat tries to bully Hampton-Newport News CSB. Shame on BlackCat.\nNov 2023\nHenry Schein re-encrypted by BlackCat again\nNov 2023\nHTC Global Services confirms cyberattack after data leaked online\nNov 2023\nTrans-Northern Pipelines investigating ALPHV ransomware attack claims\nDec 2023\nAlphV claims an attack before even alerting the victim. How will that work out for\nthem?\nDec 2023\nIf at first you don’t succeed, screw it up again?\nDec 2023\nAlphV reacts to law enforcement action by allowing affiliates to attack hospitals, critical\ninfrastructure\nJan 2024\nALPHV ransomware claims loanDepot, Prudential Financial breaches\nFeb 2024\nUnitedHealth subsidiary Optum hack linked to BlackCat ransomware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 6 of 7\n\nFeb 2024\nHessen Consumer Center says systems encrypted by ransomware\nMar 2024\nBlackCat ransomware shuts down in exit scam, blames the 'feds'\nCounter operations\nDec 2023\nJustice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant\nFeb 2024\nUS offers up to $15 million for tips on ALPHV ransomware gang\nMar 2024\nUS offers $10 million bounty for info on 'Blackcat' hackers who hit UnitedHealth\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c" ], "report_names": [ "showcard.cgi?u=2670c199-9e61-49ea-b587-467cff960c5c" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775441578, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b138f8883330c2006e9df2ccc4bf1a2c8531b683.pdf", "text": "https://archive.orkl.eu/b138f8883330c2006e9df2ccc4bf1a2c8531b683.txt", "img": "https://archive.orkl.eu/b138f8883330c2006e9df2ccc4bf1a2c8531b683.jpg" } }