{ "id": "3ea8ed94-efd3-4e31-969e-8bca3c26acb5", "created_at": "2026-04-06T00:17:39.51144Z", "updated_at": "2026-04-10T03:30:52.051253Z", "deleted_at": null, "sha1_hash": "bcde816e9a9e0f0138fbee6b52fc2b83ba6198b7", "title": "Threat Assessment: BlackCat Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 552150, "plain_text": "Threat Assessment: BlackCat Ransomware\r\nBy Amanda Tanner, Alex Hinchliffe, Doel Santos\r\nPublished: 2022-01-27 · Archived: 2026-04-05 17:52:12 UTC\r\nExecutive Summary\r\nBlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety\r\nfor its sophistication and innovation. Operating a ransomware-as-a-service (RaaS) business model, BlackCat was\r\nobserved soliciting for affiliates in known cybercrime forums, offering to allow affiliates to leverage the\r\nransomware and keep 80-90% of the ransom payment. The remainder would be paid to the BlackCat author.\r\nBlackCat has taken an aggressive approach to naming and shaming victims, listing more than a dozen on their\r\nleak site in a little over a month. The largest number of the group’s victims so far are U.S. organizations, but\r\nBlackCat and its affiliates have also attacked organizations in Europe, the Philippines and other locations. Victims\r\ninclude organizations in the following sectors: construction and engineering, retail, transportation, commercial\r\nservices, insurance, machinery, professional services, telecommunication, auto components and pharmaceuticals.\r\nUse of BlackCat ransomware has grown quickly for a variety of reasons (for comparison, AvosLocker had only\r\nlisted a handful of victims publicly within two months of becoming known). Effective marketing to affiliates is a\r\nlikely factor – in addition to offering an enticing share of ransom payments, the group has solicited affiliates by\r\nposting ads on forums such as Ransomware Anonymous Market Place (RAMP).\r\nThe malware itself is coded in the Rust programming language. Though this is not the first piece of malware to\r\nuse Rust, it is one of the first, if not the first, piece of ransomware to use it. By leveraging this programming\r\nlanguage, the malware authors are able to easily compile it against various operating system architectures. Given\r\nits numerous native options, Rust is highly customizable, which facilitates the ability to pivot and individualize\r\nattacks.\r\nThe threat actors leveraging BlackCat, often referred to as the \"BlackCat gang,” utilize numerous tactics that are\r\nbecoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in\r\nsome cases, including the siphoning of victim data before ransomware deployment, threats to release data if the\r\nransom is not paid and distributed denial-of-service (DDoS) attacks.\r\nPalo Alto Networks detects and prevents BlackCat ransomware with the following products and services: Cortex\r\nXDR and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire).\r\nDue to the surge of this malicious activity, we’ve created this threat assessment for overall awareness.\r\nBlackCat Ransomware Overview\r\nSoliciting via known cybercrime forums, BlackCat is seeking affiliates to deploy its ransomware. Affiliates keep\r\nan 80-90% share of the ransom payment, with the remainder going to the BlackCat author. These affiliates are\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 1 of 11\n\ninterviewed and vetted before being accepted into the RaaS group. Once the affiliate is confirmed, they are given\r\nunique access to a Tor-based control panel that hosts the affiliate’s access.\r\nWritten in the Russian language, the control panel gives the affiliate updates and announcements about deploying\r\nand operating the ransomware as well as troubleshooting tips to help the affiliate be more successful in their\r\ncampaigns. Along with the control panel, a name and shame blog is also hosted, targeting victims who have either\r\nignored or refused to pay the ransom. This site has been regularly updated with new victims since the initial\r\ndiscovery of the group.\r\nAs shown in Figure 1 below, many RaaS operators use the double-extortion technique of exfiltrating data prior to\r\nencryption, which provides them greater leverage in negotiating ransom funds. As of December 2021, BlackCat\r\nhas the seventh largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 –\r\nimpressive considering that this group has only been publicly known since November 2021. While Conti (ranked\r\nsecond) has been around in various guises for almost two years, it is surrounded at the top of the chart by\r\nemerging families. LockBit 2.0 and Hive both have at least six months’ head start on BlackCat, but this highlights\r\na worrying trend that newcomers (or reformed groups) can attack many victims in a short space of time.\r\nFigure 1. Leak site/name and shame blog statistics, December 2021.\r\nUsing the leak site information, we can understand the location and types of victims affected by BlackCat attacks.\r\nVictims include organizations in the following sectors: construction and engineering, retail, transportation,\r\ncommercial services, insurance, machinery, professional services, telecommunication, auto components and\r\npharmaceuticals. Figure 2 breaks down the victims by country. However, the so-far sporadic spread of the attacks\r\nmay indicate a somewhat opportunistic approach, as with most contemporary ransomware families.\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 2 of 11\n\nFigure 2. BlackCat leak site victims by country.\r\nTechnical Details\r\nBlackCat is positioned to pivot to individualized, customized attacks due to the numerous options available when\r\ncoding in Rust (Figure 3). Rust programming has gained momentum due to its fast and high performance,\r\npowerful web application development, low overhead for embedded programming, and memory management\r\nresolution. Rust also facilitates the BlackCat author due to its efficiency regarding algorithms that power the\r\nencryption capability of the ransomware. Because of its efficiency and adaptability, BlackCat has been seen\r\ntargeting both Windows and Linux systems.\r\nFigure 3. BlackCat execution options.\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 3 of 11\n\nIn an effort to maintain longevity, the use of the --access-token flag is required to execute the ransomware, which\r\ncan make it harder to analyze in sandboxed environments.\r\nBlackCat Config\r\nWhile analyzing the ransomware configurations, we observed numerous evasion tactics deployed. These evasion\r\ntechniques are used in an effort to impair or disable system defenses as well as to stop certain applications that\r\nmay lock files open on disk, causing problems when trying to encrypt them. BlackCat attempts to kill several\r\nprocesses and services to hinder or prevent security solutions and backups. The process list checked is as follows:\r\nagntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos,\r\nmydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql,\r\nsteam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon,\r\nbenetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN,\r\nQBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd,\r\nCVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc,\r\nVeeamTransportSvc, VeeamDeploymentSvc\r\nThe services running on the compromised system are checked against the following list:\r\nmepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange,\r\nMSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator,\r\nBackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine,\r\nBackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr,\r\nGXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec,\r\nQBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService,\r\nVeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc\r\nIn an effort to maintain persistence, the BlackCat ransomware excludes key system and application folders – as\r\nwell as key components – from encryption so as not to render the system and ransomware inoperative. The folders\r\nexcluded are as follows:\r\nsystem volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public,\r\nmsocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata,\r\nwindows.old\r\nExcluded file names are as follows:\r\ndesktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini,\r\nntuser.dat.log\r\nAny file with an extension matching the following list will also be avoided:\r\nthemepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb,\r\nwpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack,\r\nshs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 4 of 11\n\nHardcoded credentials stored within the BlackCat ransomware config lend credence to the likelihood that specific\r\nvictims are being targeted. The credentials also allow BlackCat to move laterally within the victim’s system and/or\r\nnetwork, often with administrative privileges. Credential access permits the ransomware to deploy additional tools\r\nthat further propagate the attack. These observations have also been confirmed by Symantec.\r\nAssociated Tools\r\nBlackCat has been observed using multiple – often legitimate – tools throughout their attacks, such as Mimikatz,\r\nLaZagne and WebBrowserPassView to recover stored passwords, as well as GO Simple Tunnel (GOST) and\r\nMEGAsync to exfiltrate data. Additionally, anti-forensics tools like fileshredder, an application to securely delete\r\nunwanted files beyond recovery, have also been leveraged during some BlackCat ransomware attacks investigated\r\nby Unit 42.\r\nPost-compromise Activities\r\nOnce candidate systems have been identified for encryption by the threat actors, the ransomware deployment\r\noccurs and all viable files will be encrypted. This process often involves renaming files to include another or a\r\ndifferent file extension, such as wpzlbji, in the example shown in Figure 4. As is commonplace with other\r\nransomware strains, BlackCat ransomware will drop ransom notes on the compromised system(s) to inform the\r\nvictim of what has happened and how to go about getting their data restored. Text files with the name RECOVER-\r\n[RANDOM]-FILES.txt (where [RANDOM] refers to the aforementioned file extension name) will be found on\r\nthe compromised system containing information and instructions such as those in the example below:\r\nFigure 4. An example of a BlackCat ransom note dropped on a compromised system.\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 5 of 11\n\nBlackCat utilizes a unique onion domain with a victim-specific access key for the victim to use to learn more\r\nabout the attack, their data, and what the threat actors want the victim to do next. The following example URL\r\nhighlights the notation used by BlackCat ransomware:\r\nhttp://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid[.]onion/?access-key=${ACCESS_KEY}\",\"note_short_text\":\"Important\r\nOnce the victim navigates to the onion site provided, they will see something similar to Figure 5 below. This site\r\nreiterates the problem and that the actor's Decrypt App private key is the only way to get their data back. The\r\nportal also provides chat facilities, the ransom amounts – which can differ depending on when the payment is sent\r\n– how to pay, and a way to test that the decryption works.\r\nFigure 5. Example onion site information for BlackCat victims.\r\nUnit 42 has observed BlackCat affiliates asking for ransom amounts of up to $14 million, though they offered to\r\ndiscount this demand to $9 million if paid before the established time. Interestingly, the ransom demand gives the\r\nvictim the option to pay not only in Bitcoin (the most common option) but also in Monero.\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 6 of 11\n\nIn some cases, BlackCat operators use the chat to threaten the victim, claiming they will perform a DDoS attack\r\non the victims' infrastructure if the ransom is not paid. When it appears in addition to the use of a leak site, this\r\npractice is known as triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt\r\nin the past.\r\nOne unique feature of BlackCat ransomware is that negotiation chats can only be accessed by those holding an\r\naccess token key or ransom note – the group has made efforts to avoid third-party snooping.\r\nCourses of Action\r\nThis section documents the relevant tactics, techniques and procedures (TTPs) used by BlackCat ransomware and\r\noperators, mapping them directly to the Palo Alto Networks product(s) and service(s) protecting against them. It\r\nalso further instructs customers on how to ensure their devices are appropriately configured.\r\nProduct / Service Course of Action\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nProcess Discovery [T1057], File and Directory Discovery [T1083]\r\nCORTEX XDR PREVENT Configure Behavioral Threat Protection under the Malware Security Profile\r\nLateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nLateral Tool Transfer [T1570]\r\nTHREAT PREVENTION†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap'\r\nand 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity\r\nlevels, categories and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nCommand and Control\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 7 of 11\n\nThe below courses of action mitigate the following techniques:\r\nMulti-hop Proxy [T1090.003]\r\nTHREAT PREVENTION†\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles\r\nin use\r\nEnsure an anti-spyware profile is configured to block on all spyware severity\r\nlevels, categories and threats\r\nEnsure a secure anti-spyware profile is applied to all security policies\r\npermitting traffic to the internet\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap'\r\nand 'pop3'\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nADVANCED URL\r\nFILTERING†\r\nEnsure that URL Filtering uses the action of “block” or “override” on the\r\nURL categories\r\nEnsure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the internet\r\nEnsure that Advanced URL Filtering is used\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are enabled\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat\r\nDetection\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the internet is\r\nconfigured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined\r\nfor servers using SSL or TLS\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 8 of 11\n\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on\r\nTrusted Threat Intelligence Sources exists\r\nEnsure that the Certificate used for Decryption is Trusted\r\nExfiltration\r\nThe below courses of action mitigate the following techniques:\r\nExfiltration to Cloud Storage [T1567.002]\r\nURL FILTERING†\r\nEnsure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the internet\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the URL\r\ncategories\r\nEnsure that access to every URL is logged\r\nEnsure that Advanced URL Filtering is used\r\nImpact\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490]\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware\r\nInvestigation\r\nTable 1. Courses of Action for BlackCat ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service\r\nConclusion\r\nBlackCat is an innovative and sophisticated ransomware family that is rapidly forming a reputation for its highly\r\ncustomized and individualized attacks. By leveraging the Rust programming language, the malware authors are\r\nable to easily compile it against various operating system architectures, which facilitates the group’s ability to\r\npivot from one victim to the next. As seen with other ransomware families, BlackCat operates with a RaaS model\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 9 of 11\n\nand utilizes multiple extortion techniques, then publishes a leak site to further pressure victims into paying the\r\nransom.\r\nPalo Alto Networks detects and prevents BlackCat ransomware in the following ways:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for BlackCat.\r\nAnti-Ransomware Module to detect BlackCat encryption behaviors on Windows.\r\nLocal Analysis detection for BlackCat binaries on Windows.\r\nBTP rule prevents Ransomware activity on Linux.\r\nNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which\r\nare also categorized as malware in URL Filtering.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy\r\nprotections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber\r\nThreat Alliance.\r\nAcknowledgements\r\nWe would like to thank Simon Conant for his help with sample collection, and malware and infrastructure\r\nanalysis.\r\nTable of Contents\r\nExecutive Summary\r\nBlackCat Ransomware Overview\r\nTechnical Details\r\nBlackCat Config\r\nAssociated Tools\r\nPost-compromise Activities\r\nCourses of Action\r\nConclusion\r\nAdditional Resources\r\nAcknowledgements\r\nRelated Articles\r\nMuddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 10 of 11\n\nThreat Group Assessment: Muddled Libra (Updated May 16, 2025)\r\nLDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nhttps://unit42.paloaltonetworks.com/blackcat-ransomware/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/blackcat-ransomware/" ], "report_names": [ "blackcat-ransomware" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775791852, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bcde816e9a9e0f0138fbee6b52fc2b83ba6198b7.pdf", "text": "https://archive.orkl.eu/bcde816e9a9e0f0138fbee6b52fc2b83ba6198b7.txt", "img": "https://archive.orkl.eu/bcde816e9a9e0f0138fbee6b52fc2b83ba6198b7.jpg" } }