{
	"id": "3dc6d009-9995-4888-9522-39cbf1c38d80",
	"created_at": "2026-04-06T00:16:02.514509Z",
	"updated_at": "2026-04-10T13:11:46.280573Z",
	"deleted_at": null,
	"sha1_hash": "f7f17af7bef2039de3f81791fbde35f5b7ba1c12",
	"title": "Everything You Need To Know About BlackCat (AlphaV)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 637574,
	"plain_text": "Everything You Need To Know About BlackCat (AlphaV)\r\nBy Aaron Sandeen\r\nPublished: 2022-09-08 · Archived: 2026-04-05 18:29:08 UTC\r\nSource: Nils Jacobi via Alamy Stock Photo\r\nDid you know that the BlackCat ransomware group has successfully breached more than 60 organizations in a\r\ncouple of months? Government, healthcare, or public utilities — the group has made it abundantly clear that\r\neveryone is a target and will demand ransoms that can reach into the millions. Our own research shows that the\r\nBlackCat cybergroup favors exploiting vulnerabilities found in Windows operating systems, Exchange servers,\r\nand Secure Mobile Access products. Let's break down their tactics and ways to defend against their attacks. \r\nWho Is BlackCat?\r\nBlackCat (also known as AlphaV, AlphaVM, ALPHV, ALPHV-ng, or Noberus) is a relative newcomer to the\r\nransomware scene but quickly gained notoriety during its first active months. Discovered in November 2021, the\r\ngroup was feared for its sophistication. Experts and researchers believe the group may be associated with other\r\nadvanced-persistent threat (APT) groups like Conti, DarkSide, Revil, and BlackMatter.\r\nBlackCat: The Brief\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-Page 1 of 4\n\nBlackCat has been observed to have the knowledge to exploit these five vulnerabilities: CVE-2016-0099 (High),\r\nCVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523\r\n(Critical). CVE-2021-34473 and CVE-2021-34523, are both critical vulnerabilities found in Microsoft Exchange\r\nServer and require immediate remediation.\r\nAlthough CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 have high severity scores, they should still\r\ntake priority in patching efforts for their potential use in vulnerability chaining attacks and have multiple known\r\nthreat actor associations.\r\nCVE-2019-7481 is a SQL injection vulnerability that affected SonicWall SMA100 version 9.0.0.3 and earlier. As\r\nthis version is no longer supported by the vendor, an immediate version upgrade is advised.\r\nHow BlackCat Operates\r\nBlackCat's entry into an organization's network begins by leveraging stolen access credentials. At the pace\r\nsecurity breaches occur, it is difficult to gauge how many credentials are stolen or leaked to the public every year,\r\nbut about 20,000 (or 50%) of security incidents in 2021 were initiated by stolen credentials. \r\nAfter initial access is made, BlackCat or similar ransomware groups silently collect information, mapping the\r\nentire network and manipulating accounts for deeper access. Vendor-specific ransomware is then created based on\r\nthe intelligence gathered during the initial phase of the attack, and security/backup systems are disabled or made\r\nto appear to be functioning as expected. The final step is to execute the ransomware and drop ransom notes on\r\ntheir unsuspecting victims.\r\nNotable Characteristics\r\nWhat sets BlackCat apart from other ransomware groups is its ability to create highly tailored executables for the\r\nintended target that contribute to its reputation for sophisticated attack patterns across environments.\r\nBlackCat develops its tools with the Rust programming language, which brings greater stability and integration\r\npossibilities. By taking advantage of command-line-driven and human-operated code, BlackCat brings a higher\r\nlevel of configuration.\r\nIts ransomware can then encrypt victims' data with four types of encryption methods. The code can be deployed\r\nacross different platforms, including Linux- and Windows-based systems.\r\nBlackCat also engages in the practice of selling its services to others, or commonly known as ransomware-as-a-service. Although BlackCat is the first known group to develop its ransomware with the Rust programming\r\nlanguage, its use is now becoming common in threat circles. The group is further known for its speedy data\r\nencryption, which gives victims a smaller window and fewer chances of preventing prolonged damage and\r\ndisruption to their services. The group's public leak site makes it simple for users to search their database of stolen\r\ninformation by victim name, password, and document type.\r\nHow Organizations Can Prevent a BlackCat Attack\r\nThe ransomware group is quickly becoming the preferred ransomware-as-a-service provider for many threat\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-Page 2 of 4\n\nactors today. Although the true extent of BlackCat's havoc may never fully be known, more than 60 incidents\r\ninvolving the group have pushed the FBI to release an advisory warning of the group's potential danger.\r\nKeeping this information in mind, here are some actions businesses and organizations can take to protect\r\nthemselves from a ransomware attack.\r\nPatch vulnerabilities that are known to be exploited by the group, like the ones listed at the top of this\r\narticle. Make sure unused network ports are properly protected.\r\nDeploy multifactor authentication for all users, require consistent identity verification, and routinely\r\nrefresh passwords.\r\nRegularly perform attack surface management scans to identify exposures within organization assets like\r\nservers, applications, and cloud-connected deployments.\r\nConsider a professional penetration test of company networks to find unknown exposures.\r\nMaintain separate backup data to avoid contamination in the event of a ransomware attack.\r\nAlthough the threat landscape evolves and BlackCat's methods adapt over time, organizations have a\r\nresponsibility to consistently monitor their networks and patch vulnerabilities accordingly. Many vulnerabilities,\r\nlike CVE-2016-0099 (found in Microsoft Windows), have been known for years and yet are still exploited today.\r\nWhen it comes to ransomware groups, give them an inch, and they will take a mile.\r\nAbout the Author\r\nCEO \u0026 Co-Founder, Securin\r\nAaron Sandeen is the CEO and co-founder of Securin (formerly Cyber Security Works), a Department of\r\nHomeland Security-sponsored company focused on helping leaders proactively increase their resilience against\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-Page 3 of 4\n\never-evolving security threats on-premises and in the cloud. Aaron leads Securin in providing intelligent and\r\nactionable security insights at every layer of company operations.\r\nSource: https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-Page 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-"
	],
	"report_names": [
		"everything-you-need-to-know-about-blackcat-alphav-"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434562,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7f17af7bef2039de3f81791fbde35f5b7ba1c12.pdf",
		"text": "https://archive.orkl.eu/f7f17af7bef2039de3f81791fbde35f5b7ba1c12.txt",
		"img": "https://archive.orkl.eu/f7f17af7bef2039de3f81791fbde35f5b7ba1c12.jpg"
	}
}