{
	"id": "dd95ffb3-8372-45f5-91cc-b73e0333c424",
	"created_at": "2026-04-06T00:12:28.986735Z",
	"updated_at": "2026-04-10T03:35:52.88275Z",
	"deleted_at": null,
	"sha1_hash": "b83640eb3b764851e6f6ddcf559c556efb1d4e9c",
	"title": "ALPHV/BlackCat ransomware family becoming more dangerous",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 209276,
	"plain_text": "ALPHV/BlackCat ransomware family becoming more dangerous\r\nBy Alex Scroxton\r\nPublished: 2022-09-22 · Archived: 2026-04-05 18:47:24 UTC\r\nResearchers from Symantec share fresh insight into the ongoing development of\r\nthe ransomware-as-a-service family known variously as ALPHV, BlackCat and\r\nNoberus\r\nThe developer or developers behind the ransomware-as-a-service (RaaS) family known variously as ALPHV,\r\nBlackCat and Noberus, have been hard at work refining their tactics, techniques and procedures (TTPs) and today\r\nare probably more dangerous than ever before, according to intelligence from Symantec.\r\nThe ALPHV/BlackCat/Noberus operation – which Symantec tracks as Coreid (aka FIN7, Carbon Spider) – is a\r\nmajor and long-established player in the wider family of Russia-linked or based ransomware crews and affiliates,\r\nmany of which are related through a murky and often hard-to-decipher web of alliances and interconnections.\r\nIt is known to date back at least a decade, when it established the use of a malware called Carbanak, but these days\r\nis more famous for its ransomware op, with alleged links to the BlackMatter group, which in turn drew inspiration\r\nfrom the DarkSide operation that turned over Colonial Pipeline and via them possibly REvil.\r\nThe ALPHV/BlackCat/Noberus ransomware gained notoriety earlier in 2022 with a series of audacious heists\r\ntargeting fuel logistics and transportation services operators in Europe, and on educational institutions in the US.\r\nThe malware itself is coded in Rust, one of a group of multiplatform languages that are becoming increasingly\r\nvalued by RaaS operators for its flexibility, and ability to quickly and easily target both Windows and Linux\r\nenvironments.\r\nNow, Symantec says it has observed a series of major updates to the ransomware and to Coreid’s overall modus\r\noperandi.\r\n“The continuous updating and refining of Noberus’ operations shows that Coreid is constantly adapting its\r\nransomware operation to ensure it remains as effective as possible,” wrote Symantec’s team.\r\n“The FBI issued a warning in April 2022 saying that, between November 2021 and March 2022, at least 60\r\norganisations worldwide had been compromised with the Noberus ransomware – the  number of victims now is\r\nlikely to be many multiples of that.”\r\nA new update, which dropped in June 2022, included an ARM build to encrypt non-standard architectures, and\r\nintroduced a feature that adds new encryption functionality to its Windows build via rebooting into safe mode and\r\nhttps://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nPage 1 of 5\n\nsafe mode with networking.\r\nIt also updated the locker itself, adding new restart logic and simplifying the Linux encryption process. An\r\nadditional update in July added indexing of stolen data, making the group’s data leak website(s) searchable by\r\nparameters including keywords and file types.\r\nBut the group did not stop there. In August, Symantec says it observed an updated version of the Exmatter data\r\nexfiltration tool being used alongside ALPHV/BlackCat/Noberus in attacks – this had previously been seen being\r\nused alongside the BlackMatter ransomware, which is designed to steal specific file types from selected\r\ndirectories and upload them to the attacker’s server prior to deployment of the ransomware.\r\nAs of this summer, Exmatter includes refinements to the types of files it steals, the addition of file transfer\r\nprotocol (FTP) capabilities in addition to SFTO and WebDav, the ability to create reports listing processed files,\r\nthe ability to corrupt them, and a self-destruct option, among other things. It has also been extensively rewritten,\r\npossibly in a bid to avoid detection.\r\nOne ALPHV/BlackCat/Noberus affiliate has also been observed using the Eamfo infostealer to target credentials\r\nstored by Veeam backup software – it does this by connecting to the Veeam SQL database and making a specific\r\nquery, and may also have been used by LockBit and Yanluowang.\r\nTargeting Veeam for credential theft is an established technique that comes in handy from a malicious point of\r\nview because it enables privilege escalation and lateral movement, and therefore gives one more access to data to\r\nsteal and encrypt.\r\n“There’s no doubt that Coreid is one of the most dangerous and active ransomware developers operating at the\r\nmoment,” wrote the Symantec team.\r\n“The group has been around since 2012 and became well-known for using its Carbanak malware to steal money\r\nfrom organisations worldwide, with the banking, hospitality and retail sectors among its preferred targets. Three\r\nmembers of the group were arrested in 2018, and in 2020 the group changed its tactics and launched its\r\nransomware-as-a-service operation.\r\n“Its continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon,” they said.\r\nRead more on Hackers and cybercrime prevention\r\nhttps://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nPage 2 of 5\n\nUS indicts three cyber pros who moonlit for ransomware gang\r\nBy: Alex Scroxton\r\nRisk \u0026 Repeat: Change Healthcare's bad ransomware bet\r\nhttps://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nPage 3 of 5\n\nBy: Alexander Culafi\r\nThe Change Healthcare attack: Explaining how it happened\r\nBy: Sean Kerner\r\nAlphv/BlackCat leak site goes down in possible exit scam\r\nhttps://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nPage 4 of 5\n\nBy: Alexander Culafi\r\nSource: https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nhttps://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous\r\nPage 5 of 5\n\n https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous  \nUS indicts three cyber pros who moonlit for ransomware gang\nBy: Alex Scroxton   \nRisk \u0026 Repeat: Change Healthcare's bad ransomware bet\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous"
	],
	"report_names": [
		"ALPHV-BlackCat-ransomware-family-becoming-more-dangerous"
	],
	"threat_actors": [
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775792152,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b83640eb3b764851e6f6ddcf559c556efb1d4e9c.pdf",
		"text": "https://archive.orkl.eu/b83640eb3b764851e6f6ddcf559c556efb1d4e9c.txt",
		"img": "https://archive.orkl.eu/b83640eb3b764851e6f6ddcf559c556efb1d4e9c.jpg"
	}
}