{ "id": "d40b81a1-0117-4963-bf43-3029af9d0da0", "created_at": "2026-04-06T00:21:49.140384Z", "updated_at": "2026-04-10T13:12:55.110325Z", "deleted_at": null, "sha1_hash": "c3f7217f545eaf1d7cb02de6aa51fb8a5233fc7f", "title": "An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 247619, "plain_text": "An ALPHV (BlackCat) representative discusses the group’s plans\r\nfor a ransomware ‘meta-universe’\r\nBy Dmitry Smilyanets\r\nPublished: 2023-01-17 · Archived: 2026-04-05 23:21:26 UTC\r\nEditor’s Note: Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that\r\nstood out for being particularly sophisticated and coded in the Rust programming language—a first for\r\nransomware used in real-world attacks.\r\nThe group has since garnered a reputation for aggressively posting details about its victims publicly—roughly two\r\ndozen have been posted on the group's extortion site over the last two months. Earlier this week, reports emerged\r\nthat German cybersecurity officials believe the group is responsible for the recent attack on two German logistics\r\ncompanies, which led to oil supply disruptions across hundreds of gas stations.\r\nA representative from the group, which has also been called BlackCat in some reports, agreed to talk to Recorded\r\nFuture analyst Dmitry Smilyanets about the group's background, intentions, and plans for the future. The\r\ninterview was conducted in Russian via TOX messaging, and was translated to English with the help of a linguist\r\nfrom Recorded Future's Insikt Group. It has been lightly edited for clarity.\r\nDmitry Smilyanets: How should I address you: ALPHV, Alfa, or BlackCat? \r\nALPHV Support: As much as we would like to avoid it, the brand must exist to simplify interaction with insurance\r\nand recovery companies. Our only name is ALPHV. BlackCat was invented by The Record and BC.a Noberus by\r\nSymantec [Editor’s note: The name ‘BlackCat’ was mentioned first by MalwareHunterTeam].\r\nDS: You came to the ransomware scene with knowledge and experience. The code, the procedures, and the\r\ntimings indicate that you have ties to REvil and possibly DarkSide. Is it a rebrand or a mix of talent under a new\r\nbanner? \r\nALPHV: In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide],\r\nmazegreggor [Maze / Egregor], lockbit, etc., because we are adverts [Editor’s note: advertisers or affiliates].\r\nAdverts write software, adverts pick a brand name, a partnership program is nothing without adverts. There is no\r\nrebranding or a mix of talents because we have no direct relation to these partnership programs. Let's just say:\r\n\"We borrowed their advantages and eliminated their disadvantages.\"\r\nDS: You mentioned multiple advantages over Conti and Lockbit ransomware variants, do you recognize other\r\nransomware groups as competitors or business partners?\r\nALPHV: Without exaggeration, we believe that at the moment, there is no competitive software on the market. In\r\naddition to high-quality software, for advanced partners, we provide the full range of services related to ransom —\r\nmetaverse or premium concierge — call it whatever you want. We are in a different weight category, so we don’t\r\nhttps://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nPage 1 of 5\n\nrecognize anyone, and we won’t do TikTok ransomware houses. Separately, we want to thank the media for a\r\ndetailed and honest review of the malware. The results speak for themselves.\r\nDS: Are you going to add support for the Chinese language following the RAMP and Lockbit strategic expansion\r\nto the east?\r\nALPHV: We are absolutely not interested in any cooperation, expansion, or interaction with other affiliates and\r\nwork only with Russian-speaking partners. Recently there was the first purge, the second one will come soon and\r\nwe will close our doors. We do not plan to expand geographically (before the implementation of plans to take over\r\nthe whole world), but we will definitely add Chinese after Arabic : )\r\nDS: Why RUST? Are you trying to obfuscate previously used code? Cross-compiling?\r\nALPHV: RUST is chosen as a modern cross-platform low-level programming language. In the console command,\r\nthe project name is alphv-N(ext)G(eneration). We have made a truly new product, with a new look and approach\r\nthat meets modern requirements for both a RaaS solution and high-class commercial software.\r\nDS: Why did you add Access tokens and unique domains for every victim?\r\nALPHV: As adverts of darkmatter [DarkSide / BlackMatter], we suffered from the interception of victims for\r\nsubsequent decryption by Emsisoft.\r\nhttps://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nPage 2 of 5\n\n[Editors note: Smilyanets contacted Emsisoft malware analyst Brett Callow for clarification, which we are\r\nincluding below for additional context.]\r\nIntel from various sources indicates that the actors behind BlackMatter may have replaced their dev\r\nteam after we discovered and exploited a weakness in their ransomware, and the new team created\r\nALPHV. Their comments about the chats perhaps support that.— Brett Callow, Emsisoft\r\nDS: You mentioned business contacts with the recovery companies who “previously worked with REvil and\r\nDarkSide.” Do negotiators help you to get what you want, or do they usually just get in the way?\r\nALPHV: Recovery companies we work with only simplify the process. They have their own personal discounts\r\nthat can vary between 20-40% and the entire recovery process takes no more than 24 hours from the moment of\r\nthe first contact. \r\nAn interesting fact: the real names of the companies were obtained as a result of the analysis of the\r\ncorrespondence of the victims after the network was encrypted, i.e. at the moment of negotiations, we understood\r\nwith whom we were talking.\r\nDS: How do you place yourself in the geopolitical fight between Russia and the USA?\r\nALPHV: Absolutely apolitical.\r\nDS: You don’t recommend your affiliates target government, healthcare, and educational institutions, as well as\r\nprohibit attacks on Commonwealth of Independent States (CIS). How do you control your affiliates and enforce\r\nthe rules? \r\nALPHV: We control preventively — at registration. As you can see, we do not run an active advertising campaign\r\nand easily cut ties with non-compliant partners, but no matter how hard we try to filter people when creating an\r\naccount — shit happens. There was already one episode with (I quote) \"not the neighboring countries.\"\r\nDecryption keys were issued automatically with the affiliate getting banned.\r\nDS: One of the published victims is from the healthcare industry, how did this happen?\r\nALPHV: We do not attack state medical institutions, ambulances, hospitals. This rule does not apply to\r\npharmaceutical companies, private clinics.\r\nDS: Please explain how these special features work: Calls, DDoS, Brute, Mixer, Mega.\r\nALPHV: The entire list of options described below is available exclusively for adverts who have reached the mark\r\nof $1.5 million in the number of payments.\r\nCalls. Outsourced solutions for calls. If communication with the victim is lost, you can try to establish contact by\r\nphone, in extreme cases, inform competitors about the leak. Not yet integrated into the panel, works in manual\r\nmode.DDoS. Own botnet for performing the most powerful DDoS attacks. Everything is clear here. Not yet\r\nintegrated into the panel, works in manual mode.Brute. Own GPU data center + outsourcing rented facilities, own\r\ndictionaries, and rules. Currently is not available. In the future, it will allow adverts to break hashes in the\r\npanel.Mixer. This is not our mixer at all : ) There is no process of mixing coins in our platform. When performing\r\nhttps://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nPage 3 of 5\n\nan operation, our coins just go into the classic mixer for subsequent manipulations, and we get absolutely clean\r\nand verified coins, which even the most diligent exchange market will be happy with.Mega. Own distributed\r\nonion storage that simplifies the negotiation process for both our adverts and victims. Most dialogues begin with a\r\nrequest for a list/content of stolen files. We try to teach adverts to upload files to our data center immediately or\r\neven before the encryption process itself. In the future, this will allow sharing data on the volume/number of files,\r\na file tree, and/or even a file shredder log to confirm the safe deletion of all existing files to the victim\r\nautomatically; and today the storage allows you to avoid blocking from file hosting and simplifies the process of\r\nmanaging files between advert and victim. Already integrated into the panel, works automatically.\r\nDS: Are you building a dream team ransomware partnership? \r\nALPHV: This was done at the planning stage. Our main goal is to create our own RaaS meta-universe that\r\nincludes the full range of services related to our business.\r\nDS: How will the ransomware scene change in the future?\r\nALPHV: Follow our updates : )\r\nDS: Can you tell me a secret — who is “super admin”?\r\nALPHV: A very humble person, our spiritual and technical leader.\r\nAn ALPHV (BlackCat) ransomware representative posting on a popular hacking forum. IMAGE: RECORDED\r\nFUTURE.\r\nDS: Can you comment on the investigation by Brian Krebs, in which he pointed out the connection between\r\n“binrs,” a developer, and ALPHV?\r\nALPHV: The investigations of couch analysts will always amuse the natives of the darknet. We are far beyond\r\nwhat Mr. Krebs can imagine.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nhttps://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nPage 4 of 5\n\nNo new articles\r\nDmitry Smilyanets\r\nMission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of\r\nexperience and expertise in cybercrime activity that includes being a former member of an elite Russian-based\r\nhacking organization.\r\nSource: https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nhttps://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/" ], "report_names": [ "an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434909, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3f7217f545eaf1d7cb02de6aa51fb8a5233fc7f.pdf", "text": "https://archive.orkl.eu/c3f7217f545eaf1d7cb02de6aa51fb8a5233fc7f.txt", "img": "https://archive.orkl.eu/c3f7217f545eaf1d7cb02de6aa51fb8a5233fc7f.jpg" } }