{ "id": "c7279a59-c6db-4bfe-8d7d-203c91c588c1", "created_at": "2026-04-06T00:14:20.287448Z", "updated_at": "2026-04-10T13:12:51.404619Z", "deleted_at": null, "sha1_hash": "e56655fa36fdd277e7f9d4891b099f8cb70f7def", "title": "Ransomware Profile: ALPHV", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90726, "plain_text": "Ransomware Profile: ALPHV\r\nBy Senan Conrad\r\nPublished: 2022-02-23 · Archived: 2026-04-02 10:59:23 UTC\r\nALPHV is a ransomware variant that encrypts data on infected systems and threatens to leak stolen data if the\r\nransom payment is not made. It is highly customizable, which enables threat actors to easily tailor an attack to the\r\ntarget environment. ALPHV was first observed in November 20201 and is believed to be the first active\r\nransomware coded in the Rust programming language. \r\nWhat is ALPHV? \r\nALPHV is a strain of ransomware that encrypts files using AES encryption (although the process can be\r\noverridden to use ChaCha20) and demands a large ransom for their decryption. It is the only active ransomware\r\ndeveloped using Rust, a programming language renowned for its performance and safety. ALPHV has used Rust’s\r\ncross-platform capabilities to develop both Linux and Windows variants of the ransomware.  \r\nALPHV is categorized as ransomware-as-a-service (RaaS), a business model whereby the developers of the\r\nransomware lease it to affiliates, who earn a portion of ransom payments in exchange for executing a successful\r\nattack. ALPHV offers affiliates a larger revenue share than many other RaaS operations, with affiliates earning\r\n80% of payments up to $1.5 million, 85% of payments up to $3 million and 90% of payments over $3 million.\r\nThe developers of ALPHV typically recruit affiliates on Russian-speaking hacking forums.  \r\nTo amplify the impact of an attack, ALPHV uses data exfiltration to put further pressure on victims and increase\r\ntheir chances of a payout. During an attack, threat actors extract large amounts of data from the compromised\r\nsystem and threaten to publish it on the ALPHV leak site unless the victim pays the ransom.  \r\nALPHV is one of a handful of ransomware groups that also threatens to DDoS victims that fail to pay the ransom.\r\nALPHV allegedly uses its own botnet to manually perform the DDoS attacks. The group frames DDoS as an\r\nexclusive feature of sorts, available only to affiliates who have generated more than $1.5 million in ransom\r\npayments. \r\nThe history of ALPHV \r\nALPHV was first detected in November 2021 and quickly claimed dozens of victims in the first few months of\r\noperation.  \r\nIt is likely that ALPHV is a rebrand of a ransomware group known as BlackMatter, which was itself a rebrand of a\r\ngroup known as Darkside. It’s believed that these rebranding efforts may be an attempt by threat actors to distance\r\nthemselves from  a costly development blunder that allowed Emsisoft to create a free Blackmatter decryption\r\ntool. \r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 1 of 6\n\nCybersecurity researchers originally named the ransomware ‘BlackCat’ after the image of an inky feline that was\r\ndepicted on every victim’s Tor payment site. However, in February 2021, a representative of the group confirmed\r\nthat its only official name is ALPHV. \r\nSince ALPHV was first discovered, there have been 194 submissions to ID Ransomware, an online tool that helps\r\nthe victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent\r\nof victims make a submission to ID Ransomware, which means there may have been a total of 776 ALPHV\r\nincidents since the ransomware’s inception. During this time, the group also published on its leak site the stolen\r\ndata of at least 40 organizations. \r\nALPHV ransom note  \r\nAfter the ransomware has been deployed and the encryption process is complete, ALPHV drops a ransom note on\r\nthe infected system. The ransom note is named after the apparently random file extension that ALPHV appends to\r\nall encrypted files, and uses the following naming format: ‘RECOVER-[RANDOM EXTENSION]-FILES.txt’. \r\nThe ransom note informs the target that their files have been encrypted and includes a link to a .onion site where\r\nthe victim can make payment. The note also includes examples of the type of data that was stolen during the\r\nattack, along with threats that the data will be published if the victim refuses to cooperate.  \r\nBelow is a sample ALPHV ransom note: \r\n\u003e\u003e Introduction \r\nImportant files on your system was ENCRYPTED and now they have “[REDACTED]” extension. \r\nIn order to recover your files you need to follow instructions below. \r\n\u003e\u003e Sensitive Data \r\nSensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to\r\ncooperate. \r\nData includes: \r\n[REDACTED] \r\n– And more… \r\nPrivate preview is published here: [REDACTED] \r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 2 of 6\n\n\u003e\u003e CAUTION \r\nDO NOT MODIFY FILES YOURSELF. \r\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. \r\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. \r\nYOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER\r\nKEY. \r\n\u003e\u003e Recovery procedure \r\nFollow these simple steps to get in touch and recover your data: \r\n1) Download and install Tor Browser from: https://torproject.org/ \r\n2) Navigate to: [REDACTED] \r\nWho does ALPHV target? \r\nALPHV tends to target large organizations with the resources and motivation to pay large ransom demands. It is\r\ncapable of infecting both Windows and Linux systems.  \r\nALPHV prohibits attacks on nations belonging to the Commonwealth of Independent States (CIS), which includes\r\nAzerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan\r\nand Ukraine.  \r\nThe group also prohibits attacks on government, healthcare and educational institutions. If an entity belonging to\r\none of these sectors is attacked, ALPHV claims that it will provide free decryption and ban the offending affiliate. \r\nAs always, any claims made by cybercrime groups should be taken with a grain of salt. ALPHV has already\r\npublished stolen data from at least one victim in the healthcare sector (the group has stated that its rules around\r\navoiding the healthcare sector do not apply to pharmaceutical companies and private clinics). Additionally, even if\r\nthe group does provide free decryption to an impacted entity, the recovery process may still take days, weeks or\r\nmonths to complete. This level of disruption can have a significant impact on patient health.  \r\nHow does ALPHV spread? \r\nALPHV attacks begin by breaching the target network. Affiliates can use a variety of methods to infect the target\r\nsystem, including compromised RDP, phishing attacks, stolen credentials and exploiting known vulnerabilities.  \r\nOnce the system has been compromised, attackers may use a variety of tools to prepare the environment for\r\nencryption and maximize the impact of the attack. Tools such as Mimikatz, LaZagne and WebBrowserPassView\r\nare used to access saved passwords, which enable threat actors to escalate privileges and spread laterally across\r\nthe network. MEGAsync is often used to exfiltrate data, while anti-forensics tools like File Shredder are\r\nsometimes used to securely delete files and thwart analysis. PowerShell is often used to modify Windows\r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 3 of 6\n\nDefender security settings and shadow volume copies are deleted prior to encryption to prevent organisations from\r\nrestoring encrypted files.  \r\nALPHV requires a specific access token for the ransomware to execute properly. The access token acts as a unique\r\nkey, which is used to verify the identification of the victim and must be provided when accessing the ALPHV\r\n.onion payment site. The access token prevents third-parties (such as ransomware researchers) gatecrashing what\r\nis supposed to be a private negotiation between victim and attacker. \r\nAs ALPHV operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack\r\ncan vary from incident to incident.  \r\nMajor ALPHV attacks \r\nOiltanking: In late November 2021, German petrol distributor Oiltanking GmbH was the victim of an\r\nALPHV attack. The incident affected 13 fuel terminals, including the automated systems responsible for\r\nloading and unloading fuel tanks, and forced the company to resort to manual processes. More than 200\r\npetrol stations, mostly located in northern Germany, were impacted during the attack. \r\nSwissport: In February 2022, Swissport, the world’s leading provider of ground services and cargo\r\nhandling for the aviation industry, was allegedly hit by ALPHV. The group posted on its data leak site a\r\nsmall sample of files that were apparently stolen during the attack, including passports, internal business\r\nnotes and the personal information of job candidates. The group also offered to sell the entire 1.6 TB set of\r\nstolen data. \r\nHow to protect the network from ALPHV and other ransomware   \r\nThe following practices may help organizations reduce the risk of an ALPHV incident. \r\nCybersecurity awareness training: Because the majority of ransomware spreads through user-initiated\r\nactions, organizations should implement training initiatives that focus on teaching end users the\r\nfundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training\r\nmust be an ongoing process to ensure end-users are across current threats. \r\nCredential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the\r\neffects of credential theft and reduce the risk of unauthorized network access. \r\nMulti-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized\r\naccess to accounts, tools, systems and data repositories. Organizations should consider enabling MFA\r\nwherever possible. \r\nSecurity patches: Organizations of all sizes should have a robust patch management strategy that ensures\r\nsecurity updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the\r\nwindow of opportunity for an attack. \r\nBackups: Backups are one of the most effective ways of mitigating the effects of a ransomware incident.\r\nMany strains of ransomware can spread laterally across the network and encrypt locally stored backups, so\r\norganizations should use a mixture of media storage, and store backup copies both on- and off-site. See this\r\nguide for more information on creating ransomware-proof backups. \r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 4 of 6\n\nSystem hardening: Hardening networks, servers, operating systems and applications is crucial for\r\nreducing attack surface and managing potential security vulnerabilities. Disabling unneeded and potentially\r\nexploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc. reduces\r\nthe risk of initial infection, while implementing the principle of least privilege can help prevent lateral\r\nmovement. \r\nBlock macros: Many ransomware families are delivered via macro-embedded Microsoft Office or PDF\r\ndocuments. Organizations should review their use of macros, consider blocking all macros from the\r\nInternet, and only allow vetted and approved macros to execute from trusted locations. \r\nEmail authentication: Organizations can use a variety of email authentication techniques such as Sender\r\nPolicy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting\r\nand Conformance to detect email spoofing and identify suspicious messages.   \r\nNetwork segregation: Effective network segregation helps contain incidents, prevents the spread of\r\nmalware and reduces disruption to the wider business. \r\nNetwork monitoring: Organizations of all sizes must have systems in place to monitor possible data\r\nexfiltration channels and respond immediately to suspicious activity. \r\nPenetration testing: Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and\r\nemployees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and\r\ninform future cybersecurity decisions.\r\nIncident response plan: Organizations should have a comprehensive incident response plan in place that\r\ndetails exactly what to do in the event of infection. A swift response can help prevent malware from\r\nspreading, minimize disruption and ensure the incident is remediated as efficiently as possible.     \r\nHow to remove ALPHV and other ransomware     \r\nALPHV uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool. \r\nEmsisoft Endpoint Protection: Award-Winning Security Made Simple\r\nExperience effortless next-gen technology. Start Free Trial\r\nVictims of ALPHV should be prepared to restore their systems from backups, using processes that should be\r\ndefined in the organization’s incident response plan. The following actions are recommended: \r\nTake action to contain the threat.     \r\nDetermine the extent of the infection.     \r\nIdentify the source of the infection.      \r\nCollect evidence. \r\nRestore the system from backups. \r\nEnsure all devices on the network are clean. \r\nPerform a comprehensive forensic analysis to determine the attack vector, the scope of the incident and the\r\nextent of data exfiltration. \r\nIdentify and strengthen vulnerabilities to reduce the risk of a repeat incident.\r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 5 of 6\n\nSource: https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nhttps://blog.emsisoft.com/en/40931/ransomware-profile-alphv/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/" ], "report_names": [ "ransomware-profile-alphv" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434460, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e56655fa36fdd277e7f9d4891b099f8cb70f7def.pdf", "text": "https://archive.orkl.eu/e56655fa36fdd277e7f9d4891b099f8cb70f7def.txt", "img": "https://archive.orkl.eu/e56655fa36fdd277e7f9d4891b099f8cb70f7def.jpg" } }