{
	"id": "68975def-b901-4c74-8fa8-179db88d9365",
	"created_at": "2026-04-06T00:07:14.439235Z",
	"updated_at": "2026-04-10T13:13:09.613687Z",
	"deleted_at": null,
	"sha1_hash": "f55977980af9bafd0bc3ae6738864be7d9723422",
	"title": "A Deep Dive Into ALPHV/BlackCat Ransomware - SecurityScorecard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11085325,
	"plain_text": "A Deep Dive Into ALPHV/BlackCat Ransomware -\r\nSecurityScorecard\r\nArchived: 2026-04-05 14:57:49 UTC\r\nExecutive summary\r\nALPHV/BlackCat is the first widely known ransomware written in Rust. The malware must run with an access\r\ntoken consisting of a 32-byte value (–access-token parameter), and other parameters can be specified. The\r\nransomware comes with an encrypted configuration that contains a list of services/processes to be stopped, a list\r\nof whitelisted directories/files/file extensions, and a list of stolen credentials from the victim environment. It\r\ndeletes all Volume Shadow Copies, performs privilege escalation using the CMSTPLUA COM interface, and\r\nenables “remote to local” and “remote to remote” symbolic links on the victim’s machine. The files are encrypted\r\nusing the AES algorithm, with the AES key being encrypted using the RSA public key contained in the\r\nconfiguration. The extension of the encrypted files is changed to uhwuvzu by the malware.\r\nAnalysis and findings\r\nSHA256: 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456 The malware can run with\r\none of the following parameters:\r\nFigure 1 Whether the ransomware is running with no parameters or with an invalid access token, an error message\r\nis displayed:\r\nFigure 2 By performing the dynamic analysis, we’ve found that the access token must be a 32-byte value that is\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 1 of 22\n\nnot unique. The binary registers a new top-level exception handler via a function call to\r\nSetUnhandledExceptionFilter:\r\nFigure 3 The AddVectoredExceptionHandler API is utilized to register a vectored exception handler:\r\nFigure 4 The executable retrieves the command-line string for the process using the GetCommandLineW function:\r\nFigure 5 BlackCat opens the “SOFTWARE\\Microsoft\\Cryptography” registry key by calling the\r\nRegOpenKeyExW routine (0x80000002 = HKEY_LOCAL_MACHINE, 0x20019 = KEY_READ):\r\nFigure 6 The binary extracts the MachineGUID value from the registry:\r\nFigure 7 The malicious process searches for cmd.exe in the current directory and then in the System32 directory\r\nvia a function call to CreateFileW (0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE |\r\nFILE_SHARE_READ, 0x3 = OPEN_EXISTING, 0x2000000 = FILE_FLAG_BACKUP_SEMANTICS):\r\nFigure 8 The executable generates 16 random bytes by calling the BCryptGenRandom API (0x2 =\r\nBCRYPT_USE_SYSTEM_PREFERRED_RNG):\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 2 of 22\n\nFigure 9 A named pipe whose name contains the current process ID and random bytes generated above is created\r\nusing CreateNamedPipeW (0x40080001 = FILE_FLAG_OVERLAPPED |\r\nFILE_FLAG_FIRST_PIPE_INSTANCE | PIPE_ACCESS_INBOUND, 0x8 =\r\nPIPE_REJECT_REMOTE_CLIENTS):\r\nFigure 10 The process opens the named pipe for writing using the CreateFileW routine (0x40000000 =\r\nGENERIC_WRITE, 0x3 = OPEN_EXISTING):\r\nFigure 11 The ransomware creates a read and a write named pipe, respectively. The wmic process is used to\r\nextract the UUID (0x08000400 = CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT):\r\nFigure 12 The CreateEventW API is utilized to create two unnamed event objects:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 3 of 22\n\nFigure 13 The binary waits until the event objects are in the signaled state by calling WaitForMultipleObjects:\r\nFigure 14 The output of the above process is read from the named pipe using the ReadFile routine:\r\nFigure 15 The malware creates multiple threads by calling the CreateThread function (0x00010000 =\r\nSTACK_SIZE_PARAM_IS_A_RESERVATION):\r\nFigure 16 The content of the ransom note and the text that will appear on the Desktop Wallpaper are decrypted by\r\nthe ransomware:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 4 of 22\n\nFigure 17\r\nFigure 18 The malicious binary obtains information about the current system via a function call to GetSystemInfo:\r\nFigure 19 There is a call to SHTestTokenMembership that verifies whether the user token is a member of the\r\nAdministrators group in the built-in domain (0x220 = DOMAIN_ALIAS_RID_ADMINS):\r\nFigure 20 The process opens the access token associated with the current process (0x80000000 =\r\nGENERIC_READ):\r\nFigure 21 BlackCat extracts a TOKEN_GROUPS structure containing the group accounts associated with the\r\nabove token using the NtQueryInformationToken function (0x2 = TokenGroups):\r\nFigure 22 The OpenProcess API is utilized to open a local process object (0x438 =\r\nPROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ |\r\nPROCESS_VM_OPERATION):\r\nFigure 23 The malicious binary retrieves a pointer to a PEB structure using the ZwQueryInformationProcess\r\nroutine (0x0 = ProcessBasicInformation):\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 5 of 22\n\nFigure 24 The executable retrieves a pointer to a PEB_LDR_DATA structure containing information about the\r\nloaded modules in the process and then to the head of a doubly linked list that contains the loaded modules:\r\nFigure 25\r\nFigure 26 The path of the image file for the current process is retrieved using ReadProcessMemory:\r\nFigure 27\r\nPrivilege escalation via UAC bypass using CMSTPLUA COM interface\r\nThe ransomware initializes the COM library for use by the current thread via a call to CoInitializeEx (0x2 =\r\nCOINIT_APARTMENTTHREADED):\r\nFigure 28 BlackCat ransomware uses the auto-elevated CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-\r\nA120244FBEC7} in order to escalate privileges:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 6 of 22\n\nFigure 29 The initial executable is spawned with administrative privileges:\r\nFigure 30 The LookupPrivilegeValueW routine is utilized to retrieve the locally unique identifier that represents\r\nthe following privileges:\r\nSeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege\r\nSeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege\r\nSeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege\r\nSeCreatePagefilePrivilege SeBackupPrivilege SeRestorePrivilege\r\nSeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege\r\nSeChangeNotifyPrivilege SeRemoteShutdownPrivilege SeUndockPrivilege\r\nSeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege\r\nSeIncreaseWorkingSetPrivilege SeTimeZonePrivilege\r\nSeCreateSymbolicLinkPrivilege SeDelegateSessionUserImpersonatePrivilege\r\nFigure 31 All the above privileges are enabled in the access token using AdjustTokenPrivileges:\r\nFigure 32 The binary creates the following processes that enable “remote to local” and “remote to remote”\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 7 of 22\n\nsymbolic links on the local machine:\r\nFigure 33\r\nFigure 34 The malware tries to stop the Internet Information service (IIS) using IISReset.exe:\r\nFigure 35 The ransomware deletes all volume shadow copies using the vssadmin.exe utility:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 8 of 22\n\nFigure 36 There is also a second process that is responsible for deleting all volume shadow copies with wmic:\r\nFigure 37 Interestingly, the malware runs the following command that is incomplete and returns an error:\r\nFigure 38\r\nFigure 39 The binary disables Automatic Repair using the bcdedit tool:\r\nFigure 40 The ransomware tries to clear all event logs, however, the command is incorrect and returns an error, as\r\nhighlighted below:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 9 of 22\n\nFigure 41\r\nFigure 42\r\nKilling targeted services\r\nThe binary opens the service control manager database via a function call to OpenSCManagerW (0xF003F =\r\nSC_MANAGER_ALL_ACCESS):\r\nFigure 43 The process obtains a list of active services using EnumServicesStatusExW (0x30 =\r\nSERVICE_WIN32, 0x1 = SERVICE_ACTIVE):\r\nFigure 44 The malware targets the list of services from the kill_services element in the BlackCat configuration. A\r\ntargeted service is opened by calling the OpenServiceW routine (0x2c = SERVICE_STOP |\r\nSERVICE_ENUMERATE_DEPENDENTS | SERVICE_QUERY_STATUS):\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 10 of 22\n\nFigure 45 EnumDependentServicesW is utilized to retrieve the active services that depend on the targeted service\r\n(0x1 = SERVICE_ACTIVE):\r\nFigure 46 BlackCat stops the targeted service using the ControlService function (0x1 =\r\nSERVICE_CONTROL_STOP):\r\nFigure 47\r\nKilling targeted processes\r\nThe executable takes a snapshot of all processes and threads in the system (0xF = TH32CS_SNAPALL):\r\nFigure 48 The processes are enumerated using the Process32FirstW and Process32NextW APIs:\r\nFigure 49\r\nFigure 50 The malware targets the list of processes from the kill_processes element in the BlackCat configuration.\r\nIt opens a targeted process using OpenProcess (0x1 = PROCESS_TERMINATE):\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 11 of 22\n\nFigure 51 The ransomware terminates the targeted process by calling the TerminateProcess API:\r\nFigure 52 The binary spawns multiple child processes by adding the “–child” parameter to the command line (see\r\nfigure 53). The new processes run in the security context of credentials that were specified in the credentials entry\r\nfrom the BlackCat configuration.\r\nFigure 53 The number of network requests the Server Service can make is set to the maximum by modifying\r\n“HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\MaxMpxCt” Registry value:\r\nFigure 54 The malicious process obtains the ARP table using the arp command, as shown below:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 12 of 22\n\nFigure 55 The net use command is utilized to connect to the local computer using different credentials stored in\r\nthe BlackCat configuration:\r\nFigure 56 The malware retrieves the currently available disk drives by calling the GetLogicalDrives routine:\r\nFigure 57 The GetDriveTypeW API is utilized to obtain the drive type:\r\nFigure 58 The ransomware starts scanning the volumes on the local machine using FindFirstVolumeW:\r\nFigure 59 The list of drive letters and mounted folder paths for the above volume is extracted by the malware:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 13 of 22\n\nFigure 60 The volume’s enumeration continues by calling the FindNextVolumeW function:\r\nFigure 61 All unmounted volumes are mounted via a function call to SetVolumeMountPointW:\r\nFigure 62 BlackCat traverses the file system using the FindFirstFileW and FindNextFileW APIs:\r\nFigure 63\r\nFigure 64 The BlackCat configuration is stored in JSON form and is decrypted at runtime. It contains:\r\nthe extension appended to the encrypted files\r\nRSA public key that is used to encrypt the AES encryption key\r\nransom note name and content\r\nstolen credentials specific to the victim’s environment\r\nencryption cipher: AES\r\nlist of services and processes to be killed\r\nlist of folders, files, and extensions to be skipped\r\nboolean values that indicate network discovery, lateral movement, setting the Desktop Wallpaper, killing\r\nVMware ESXi virtual machines, removing VMware ESXi virtual machine snapshots, excluding VMware\r\nESXi virtual machines from termination\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 14 of 22\n\nFigure 65\r\nFiles encryption\r\nThe CreateFileW API is used to open a targeted file (0xC0000000 = GENERIC_READ | GENERIC_WRITE,\r\n0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ, 0x3 =\r\nOPEN_EXISTING):\r\nFigure 66 The ransom note is created in every traversed directory (0x40000000 = GENERIC_WRITE, 0x7 =\r\nFILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ, 0x2 = CREATE_ALWAYS):\r\nFigure 67 The ransom note is populated using the WriteFile routine:\r\nFigure 68\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 15 of 22\n\nFigure 69 The file’s extension is changed using the MoveFileExW function. The renamed file is opened using\r\nCreateFileW (0x7 = FILE_SHARE_DELETE | FILE_SHARE_WRITE | FILE_SHARE_READ, 0x3 =\r\nOPEN_EXISTING, 0x02000000 = FILE_FLAG_BACKUP_SEMANTICS):\r\nFigure 70 Interestingly, BlackCat creates intermediary files called “checkpoints-\u003cencrypted file name\u003e” during\r\nthe encryption process:\r\nFigure 71 The malware generates 16 random bytes that will be used to derive the AES key:\r\nFigure 72 The ransomware moves the file pointer to the beginning of the file by calling the SetFilePointerEx API\r\n(0x0 = FILE_BEGIN):\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 16 of 22\n\nFigure 73 The process reads 4 bytes from the beginning of the file using ReadFile:\r\nFigure 74 A JSON form containing the encryption cipher (AES), the AES key used to encrypt the file, the data,\r\nand the chunk size, is constructed in the process memory:\r\nFigure 75 The binary generates 0x50 (80) random bytes that are used to border the JSON form. The resulting\r\nbuffer has a size of 256 bytes and is rotated using instructions such as pshuflw:\r\nFigure 76\r\nFigure 77 A 4-byte border “19 47 B2 CE” that separates the encrypted file content from the encrypted AES key is\r\nwritten to the file:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 17 of 22\n\nFigure 78 The buffer that contains the AES key presented in figure 77 is encrypted with the RSA public key from\r\nthe BlackCat configuration. The result is written to the file using WriteFile:\r\nFigure 79 The size of encrypted key (0x100) is written to the file:\r\nFigure 80 The file content is read by using the ReadFile function:\r\nFigure 81 The file content is encrypted using the AES-128 algorithm. The malware uses the aesenc and aesenclast\r\ninstructions for this purpose:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 18 of 22\n\nFigure 82\r\nFigure 83 The encrypted file content is written back to the file using WriteFile:\r\nFigure 84 An example of an encrypted file is displayed below:\r\nFigure 85 The ransomware creates a PNG image called “RECOVER-uhwuvzu-FILES.txt.png”:\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 19 of 22\n\nFigure 86\r\nFigure 87 The Desktop wallpaper is changed to the above image by calling the SystemParametersInfoW API\r\n(0x14 = SPI_SETDESKWALLPAPER, 0x3 = SPIF_UPDATEINIFILE | SPIF_SENDCHANGE):\r\nFigure 88\r\nRunning with the –verbose parameter\r\nThe ransomware writes multiple actions to the command line output:\r\nFigure 89\r\nRunning with the –extra-verbose –ui parameters\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 20 of 22\n\nThe malware presents the relevant information in the following window:\r\nFigure 90\r\nIndicators of Compromise\r\nPipe \\\\.\\pipe\\__rust_anonymous_pipe1__.\u003cProcess ID\u003e.\u003cRandom number\u003e BlackCat Ransom Note RECOVER-uhwuvzu-FILES.txt Files created checkpoints-\u003cFilename\u003e.uhwuvzu RECOVER-uhwuvzu-FILES.txt.png\r\nProcesses spawned cmd.exe /c “wmic csproduct get UUID” cmd.exe /c “fsutil behavior set SymlinkEvaluation\r\nR2L:1” cmd.exe /c “fsutil behavior set SymlinkEvaluation R2R:1” cmd.exe /c “iisreset.exe /stop” cmd.exe /c\r\n“vssadmin.exe Delete Shadows /all /quiet” cmd.exe /c “wmic.exe Shadowcopy Delete” cmd.exe /c “bcdedit /set\r\n{default}” cmd.exe /c “bcdedit /set {default} recoveryenabled No” cmd.exe /c for /F “tokens=*” %1 in\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 21 of 22\n\n(‘wevtutil.exe el’) DO wevtutil.exe cl %1 cmd.exe /c “reg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v MaxMpxCt /d\r\n65535 /t REG_DWORD /f” cmd.exe /c “arp -a”\r\nSource: https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware"
	],
	"report_names": [
		"deep-dive-into-alphv-blackcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434034,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f55977980af9bafd0bc3ae6738864be7d9723422.pdf",
		"text": "https://archive.orkl.eu/f55977980af9bafd0bc3ae6738864be7d9723422.txt",
		"img": "https://archive.orkl.eu/f55977980af9bafd0bc3ae6738864be7d9723422.jpg"
	}
}