BlackCat

Also known as: ALPHV, Noberus, UNC4466, Scattered Spider affiliate, ALPHV-ng, AlphaV, AlphaVM

InactiveExpertRussia

0Campaigns

17Techniques

5IOCs

17Tools

0Matches

4Infrastructure

Overview

BlackCat/ALPHV ransomware operation executed an exit scam in March 2024 following the Change Healthcare attack, where operators kept the entire $22 million ransom payment and cheated affiliates. The FBI had previously disrupted operations in December 2023, seizing infrastructure and releasing a decryption tool that saved victims ~$99 million. After the March 2024 exit scam with a fake FBI seizure notice, the group announced closure and attempted to sell source code for $5 million. As of early 2025, the group has apparently disappeared. Notable affiliate Scattered Spider continues independent operations with DragonForce and other ransomware variants.

Motivations

Financial GainExtortion

Target Sectors

HealthcareFinancial ServicesGovernmentLegalTechnologyHospitalityManufacturingEnergyEducation

Activity Timeline

First Seen

Nov 2021

Last Seen

Mar 2024

Quick Facts

OriginRussia

Sophisticationexpert

StatusInactive

MITRE ATT&CK Techniques

(17)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Other

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1070

Indicator Removal

Delete or modify artifacts such as logs and files to hide activity.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Tools & Malware

(17)

BlackCat/ALPHV Ransomware

malwareMalicious

First major ransomware written in Rust for cross-platform capability (Windows, Linux, VMware ESXi). Supports multiple encryption modes and customizable per-victim configurations.

ExMatter

malwareMalicious

Custom .NET data exfiltration tool that selectively steals documents, databases, and sensitive files before encryption. Uploads to attacker-controlled SFTP servers.

Eamfo

malwareMalicious

Custom info-stealer that targets Veeam backup credentials stored in SQL databases. Extracts backup admin credentials to enable deletion of backups before ransomware deployment.

Sphynx

malwareMalicious

Updated BlackCat encryptor variant with built-in tools for network propagation using Impacket's psexec and remcom for lateral movement during encryption.

Cobalt Strike

frameworkLegitimate

Standard post-exploitation framework for lateral movement, persistence, and C2. Affiliates deploy custom Cobalt Strike loaders to evade signature-based detections.

Brute Ratel

frameworkLegitimate

Advanced C2 framework used by BlackCat affiliates as Cobalt Strike alternative. Harder for EDR solutions to detect due to syscall-level operation.

Mimikatz

frameworkLegitimate

Deployed for LSASS memory dumping, DCSync attacks, and Kerberos ticket extraction. Used to achieve domain-wide administrative access before ransomware staging.

AnyDesk

legitimate toolLegitimate

Primary remote access tool installed for persistent hands-on-keyboard access. Multiple affiliates deploy AnyDesk on dozens of systems for redundant access.

ScreenConnect (ConnectWise)

legitimate toolLegitimate

Remote management tool used by affiliates for persistent access. Harder to detect than C2 beacons since it generates legitimate-looking remote access traffic.

Ngrok

legitimate toolLegitimate

Tunneling tool used to create reverse tunnels to compromised systems, enabling access even when direct inbound connections are blocked by firewalls.

Advanced IP Scanner

legitimate toolLegitimate

Network discovery tool used to map internal infrastructure, identify domain controllers, file servers, and backup systems for maximum impact targeting.

BloodHound

frameworkLegitimate

AD attack path mapping tool used to identify privilege escalation routes from initial access to domain admin for rapid domain compromise.

LaZagne

frameworkLegitimate

Credential recovery tool used to extract saved passwords from browsers, email clients, databases, and various Windows credential stores.

Mega.nz

legitimate toolLegitimate

Cloud storage service abused for data exfiltration. Affiliates sync stolen data via MEGAsync client, taking advantage of the service's end-to-end encryption.

PowerShell

os utilityLegitimate

Used for disabling security tools, deleting shadow copies (vssadmin, wmic shadowcopy), modifying boot configuration, and deploying ransomware via scripts.

PsExec

legitimate toolLegitimate

Used for remote ransomware deployment across domain-joined systems. Often combined with compromised domain admin credentials from DCSync attacks.

Scattered Spider TTPs

scriptMalicious

Some BlackCat affiliates (Scattered Spider/UNC3944) specialize in social engineering helpdesk staff for MFA bypass and SIM swapping to gain initial access.

Indicators of Compromise

(5)

IOC values are defanged for safety

Type	Value	Notes
ip	`185[.]220[.]101[.]65`	BlackCat affiliate Tor exit node used for initial access
ip	`193[.]42[.]33[.]14`	ExMatter data exfiltration server
hash	`847f5914c43e17748b9d838c1e185b03`	BlackCat ransomware Rust binary (MD5)
hash	`f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6`	ExMatter data exfiltration tool (SHA-256)
domain	`alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion`	BlackCat dark web leak site (.onion)

Infrastructure

(4)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`185[.]220[.]101[.]65` BlackCat affiliate Tor exit node used for initial access	ip	offline	Apr 2, 2026
`193[.]42[.]33[.]14` ExMatter data exfiltration server	ip	offline	Apr 2, 2026
`alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion` BlackCat dark web leak site (.onion)	onion	active	Apr 2, 2026
`he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion`	onion	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(15)

CISA - ALPHV BlackCat Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

FBI - ALPHV BlackCat Ransomware Indicators of Compromise

https://www.ic3.gov/Media/News/2022/220420.pdf

Microsoft - The many lives of BlackCat ransomware

https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/

DOJ: Two Americans Plead Guilty to ALPHV BlackCat Ransomware Attacks (Dec 2025)

https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware

FBI Leads Alphv/BlackCat Takedown (Dec 2023)

https://www.techtarget.com/searchsecurity/news/366564014/FBI-leads-Alphv-BlackCat-takedown-decrypts-victims-data

BlackCat Ransomware Exit Scam (Mar 2024)

https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/

Change Healthcare Attack Analysis (Feb 2024)

https://www.picussecurity.com/resource/blog/alphv-ransomware

FinCEN: ALPHV Most Prevalent Ransomware 2022-2024

https://www.fincen.gov/news/news-releases/fincen-issues-financial-trend-analysis-ransomware

Third Ransomware Negotiator Charged (Mar 2026)

https://www.hipaajournal.com/u-s-nationals-indicted-blackcat-ransomware-attacks/

Mandiant: UNC4466 ALPHV Affiliate Targets Veritas Backup (Mar 2024)

https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/

Change Healthcare Cyberattack - AHA Report

https://www.aha.org/change-healthcare-cyberattack-underscores-urgent-need-strengthen-cyber-preparedness-individual-health-care-organizations-and

The Record - Ransomware incident responder gave info to BlackCat cybercriminals during negotiations

https://therecord.media/ransomware-blackcat-doj-incident-responder

BlackCat Ransomware Group Implodes After Apparent $22M Payment - Krebs on Security

https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant (Dec 2023)

https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant

Scattered Spider Advisory AA23-320A Updated July 2025 - CISA

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a