{
	"id": "47184d24-f98b-4115-b89b-9a754ee35b23",
	"created_at": "2026-04-06T00:08:26.351882Z",
	"updated_at": "2026-04-10T03:29:40.041399Z",
	"deleted_at": null,
	"sha1_hash": "f484cc90f71542d81ba6731d527c955ef75b4983",
	"title": "Falcon OverWatch Contributes to BlackCat Protection | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 913465,
	"plain_text": "Falcon OverWatch Contributes to BlackCat Protection |\r\nCrowdStrike\r\nBy falcon.overwatch.team\r\nArchived: 2026-04-05 16:28:29 UTC\r\nIn an effort to stay ahead of improvements in automated detections and preventions, adversary groups continually\r\nlook to new tactics, techniques and procedures (TTPs), and new tooling to progress their mission objectives. One\r\ngroup — known as BlackCat/ALPHV — has taken the sophisticated approach of developing their tooling from the\r\nground up, using newer, more secure languages like Rust and highly customized configuration options per victim.\r\nWhile these techniques and tools may be sophisticated, the CrowdStrike Falcon®® platform in combination with\r\nFalcon OverWatch™ proactive human-driven hunting proved effective in blocking and unraveling this novel\r\nthreat. OverWatch gave the victim organization context-rich notifications about the emerging threat to their\r\nenvironment, providing essential information for this organization to secure themselves against a novel eCrime\r\nthreat. OverWatch is continually hunting to unearth evolving TTPs used by big game hunting (BGH) ransomware\r\nadversaries and other highly impactful intrusions as highlighted in this recent unsuccessful ransomware attack.\r\nIn late 2021, CrowdStrike Intelligence first became aware of BlackCat/ALPHV advertising to affiliates on\r\nunderground forums. The group advertised a newly developed Rust-based ransomware-as-a-service (RaaS)\r\noffering, along with an enticing affiliate program that allows affiliates to retain a relatively generous 80% to 90%\r\ncompared to the more typical 30% to 60%, depending on the RaaS and how successful it is.\r\nBy the end of January 2022, within weeks of launching, BlackCat/ALPHV had already gained notoriety for its\r\nexpertise and aggressive approach to extorting victims. Extortion techniques used by BlackCat/ALPHV and\r\naffiliates include naming victims on a dedicated leak site (DLS), threatening to leak data on the DLS, encrypting\r\ndata through ransomware, and finally implementing distributed denial of service (DDoS) attacks.\r\nGood for Victim When BlackCat Crosses OverWatch’s Path\r\nThis blog details an unsuccessful BlackCat ransomware attack on an organization in the technology sector.\r\nOverWatch worked as a seamless extension of the Falcon platform to trace and track the adversary’s movements,\r\nproviding critical context to the victim organization to facilitate comprehensive remediation.\r\nDespite the adversary’s use of the novel BlackCat tooling, the Falcon sensor effectively blocked the attack, both\r\npreventing the deletion of volume shadow copies and the execution of the ransomware tool itself. Just as\r\nadversaries continuously evolve their approaches, the CrowdStrike Falcon®® platform is continuously honed to\r\ndetect and prevent emerging malicious activity. The Falcon platform takes a layered approach to detecting and\r\npreventing ransomware by using behavior-based indicators of attack (IOAs) and advanced machine learning\r\n(ML). Its detection capabilities are also informed by OverWatch’s front-line insights into novel threats.\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 1 of 6\n\nFigure 1. Falcon sensor detects and blocks critical severity attempt to delete volume shadow copies (Click to\r\nenlarge)\r\nThe Falcon platform’s detection and automated prevention of malicious activity sparked a rapid retrospective hunt\r\nto understand the threat to the victim’s environment, which revealed that the intrusion had stemmed from an\r\nunmanaged host. OverWatch is adept at finding adversary discovery activity or attempts to establish a persistent\r\nfoothold in a victim’s environment. However, in this particular intrusion, the adversary gained initial access on a\r\nhost that did not have the Falcon sensor installed, meaning that there was no visibility of this pre-ransomware\r\nactivity for OverWatch. Despite this, OverWatch was still able to effectively track the adversary and provide the\r\nvictim organization with a rapid context-rich notification about the activity underway in its environment before\r\nserious damage was done.\r\nUpon investigation, OverWatch quickly uncovered the adversary’s use of “sender2” — identified as a file\r\nexfiltration tool (also known as Exmatter) — that was executed remotely with PsExec from an unmanaged host.\r\nThe sample sender2 executable crawls the computer for files with a list of file extensions and is configured to send\r\nthem to a remote server via the SFTP or WebDAV protocols. In the activity observed by OverWatch, the tool was\r\nset to evade detection in the following ways:\r\nIt executes using the parameter -nownd , causing the tool’s window to be hidden during execution.\r\nAt the completion of its execution, it launches a PowerShell command to forcibly stop the sender2 process\r\nand delete the executable.\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 2 of 6\n\nSelf-deletion powershell.exe command:\r\npowershell.exe -WindowStyle Hidden -C $path = '\\\\\\123\\sender.exe';Get-Process | Where-Object {$_.Path -like $pa\r\nFurther analysis of the tool also revealed that the sample had a build time of approximately one hour before it was\r\ndeployed, indicating that the adversary likely compiled the executable specifically for this intrusion.\r\nFigure 2. OverWatch detects malicious file exfiltration tool “sender2,” executed under PsExecSvc.exe (Click to\r\nenlarge)\r\nAfter the attempted data exfiltration, the adversary moved to deploy the BlackCat ransomware. The ransomware\r\nexecutable file was masquerading under the name of a legitimate third-party managed service security provider\r\n(MSSP). The ransomware was executed remotely under PsExec, from a network shared folder named 123and\r\nwas launched as a child process of Microsoft's File Explorer tool in another attempt to evade detection.\r\nThe ransomware executable included a required command line argument --access-token= . This unique token is\r\nused to create the access key that is written into and appended to the .onion link of the ransomware readme\r\nfile. This provides a unique link per victim to their negotiating Tor payment site.\r\nAnother distinctive characteristic of the BlackCat ransomware is its worming functionality with its ability to self-propagate within infected networks, observed in the following ways.\r\nThe ransomware:\r\nAcquires the system Address Resolution Protocol (ARP) table.\r\nScans the network over NetBIOS TCP port 137. This service provides a legacy name service for name\r\nregistration and resolution.\r\nSets the maximum number of suggested network connections for client requests that can be maintained for\r\neach client of the server in the Windows registry.\r\nModifies symbolic link evaluation of the host with Fsutil to support the encryption of symbolically linked\r\nfiles that redirect to a different file or directory, including connected network shares.\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 3 of 6\n\nOverWatch also identified that the adversary had used the customer’s Microsoft Group Policy Object (GPO)\r\nsettings to author scheduled tasks on Microsoft Windows domain joined hosts. The scheduled tasks were\r\nregistered for sender2 and the ransomware. However, the files were not successfully executed using this method.\r\nScheduled Task for “sender2”:\r\nTaskAuthor:\r\nTaskExecArguments: -nownd\r\nTaskExecCommand: \"cmd\" /c \\\\\\\\123\\sender.exe\r\nTaskName: test2\r\nScheduled Task for the Ransomware:\r\nTaskAuthor:\r\nTaskExecArguments: --access-token\r\nTaskExecCommand: \"cmd\" /c \\\\\\\\123\\.exe --access-token\r\nTaskName: test123\r\nWhile the attack stemmed from a host that did not have the Falcon sensor installed, OverWatch was able to use the\r\ncloud telemetry emitted from endpoints that did have Falcon sensor coverage to uncover the scope of this\r\nintrusion. OverWatch used the available telemetry to identify the source of the machine spreading the infection\r\nand was also able to identify and quickly notify the victim about the attack, which included:\r\nWhen the activity began\r\nThe compromised user account used to conduct the malicious activity\r\nThe unmanaged host used in the attack vectors, including relevant network indicators\r\nThe ransomware strain and the configured file rename extension\r\nFiles, hashes and indicators on impacted hosts\r\nGuidance to prevent further activity and assist with the initial response\r\nHuman-Driven Threat Hunting Seamlessly Augments Automated Detection and\r\nPrevention\r\nThis intrusion is a clear illustration of how OverWatch’s human threat hunting augments automated security\r\ncontrols to pinpoint and rapidly communicate malicious activities at the earliest possible stage.\r\nThe Falcon sensor played a crucial role in containing this attack. The Falcon sensor successfully detected and\r\nblocked attempts to delete volume shadow copies and deploy ransomware. These preventions gave the victim\r\norganization time to take the correct action stemming from OverWatch’s findings and evict the adversary from\r\ntheir network.\r\nOverWatch’s immediate investigation uncovered crucial details about the scope of the adversary’s activity, even\r\nwhen dealing with unmanaged endpoints. This information was crucial to the victim organization, enabling their\r\nresponse efforts to eradicate the adversary from their environment.\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 4 of 6\n\nIt is essential for defenders to recognize that, although OverWatch was ultimately able to track this intrusion as it\r\ntraversed the victim’s network, full visibility would have enabled much quicker identification of this activity and\r\npotentially could have prevented the adversary from gaining initial access. OverWatch strongly recommends that\r\nfull endpoint protection — including next-generation antivirus (NGAV) and endpoint detection and response\r\n(EDR) — is deployed across all endpoints to ensure complete visibility. While it is impossible to anticipate where\r\nan adversary will gain access, it is likely that they will look for blind spots in order to operate undetected within\r\nyour environment.\r\nTABLE 1. Ransomware Execution\r\n\"cmd\" /c \\\\\\\\123\\.exe --access-token \u003credacted\u003e NOTE: Ransomware binary execution under\r\nPSEXECSVC.exe\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"wmic csproduct get UUID\" NOTE: Acquire the System Management\r\nBIOS UUID, likely to gather information.\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"fsutil behavior set SymlinkEvaluation R2L:1\" NOTE: Enable\r\nremote-to-local symlink evaluation\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"fsutil behavior set SymlinkEvaluation R2R:1\" NOTE: Enable\r\nremote-to-remote symlink evaluation\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"iisreset.exe /stop\" NOTE: Stop all IIS-related processes\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"reg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v MaxMpxCt /d 65535\r\n/t REG_DWORD /f\" NOTE: Set the maximum suggested outstanding network connections\r\n\"C:\\Windows\\explorer.exe\" --child --access-token NOTE: Run the ransomware executable as a child\r\nprocess\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"arp -a\" NOTE: Acquire system ARP table\r\n\"C:\\Windows\\system32\\cmd.exe\" /c \"vssadmin.exe Delete Shadows /all /quiet\" NOTE: Delete file\r\nshadow copies\r\nTABLE 2. sender2 File Exfiltrator Execution\r\nThe file exfiltrator tool, sender2, will crawl the computer for files with the following extensions:\r\n.doc, .docx, .xls, .xlsx, .xlsm, .pdf, .msg, .ppt, .pptx, .sda, .sdm, .sdw, .csv, .zip, .json,\r\n.config, .ts, .cs, .sqlite, .aspx, .pst, .rdp, .accdb, .catpart, .catproduct, .catdrawing, .3ds,\r\n.dwt, .dxf\r\nIt also has a few exceptions configured; it will not crawl any of the following directories:\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 5 of 6\n\nC:\\Documents and Settings C:\\PerfLogs C:\\Program Files\\Windows Defender Advanced Threat\r\nProtection C:\\Program Files\\WindowsApps C:\\ProgramData\\Application Data\r\nC:\\ProgramData\\Desktop C:\\ProgramData\\Documents C:\\ProgramData\\Microsoft\r\nC:\\ProgramData\\Packages C:\\ProgramData\\Start Menu C:\\ProgramData\\Templates\r\nC:\\ProgramData\\WindowsHolographicDevices C:\\Recovery C:\\System Volume Information\r\nC:\\Users\\All Users C:\\Users\\Default C:\\Users\\Public\\Documents C:\\Windows System Volume\r\nInformation\r\nAnd it will also skip every path that contains one of the following strings:\r\nOneDriveMedTile locale- SmallLogo VisualElements adobe_sign Adobe Sign core_icons\r\nAdditional Resources\r\nRead the 2021 Threat Hunting Report blog or download the report now.\r\nLearn more about Falcon OverWatch’s proactive managed threat hunting.\r\nDiscover the power of tailored threat hunting OverWatch Elite provides customers in this blog post.\r\nWatch how Falcon OverWatch proactively hunts for threats in your environment.\r\nRead more about how part-time threat hunting is simply not enough in this blog post.\r\nLearn more about the CrowdStrike Falcon®® platform.\r\nSource: https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/"
	],
	"report_names": [
		"falcon-overwatch-contributes-to-blackcat-protection"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434106,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f484cc90f71542d81ba6731d527c955ef75b4983.pdf",
		"text": "https://archive.orkl.eu/f484cc90f71542d81ba6731d527c955ef75b4983.txt",
		"img": "https://archive.orkl.eu/f484cc90f71542d81ba6731d527c955ef75b4983.jpg"
	}
}