BlackCat

ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service (RaaS) operation and one of the most prolific ransomware groups observed in recent years. The provided content identifies it under the aliases ALPHV, BlackCat, Black Cat, Noberus, and Embargo. It is described as the second-most prolific RaaS group globally in one DOJ-referenced period, with affiliates having compromised more than 1,000 entities, demanded more than $500 million, and received nearly $300 million in ransom payments. Reported victim sectors include government facilities, emergency services, defense industrial base companies, manufacturing, healthcare, schools, hospitality, and critical infrastructure, with examples including Change Healthcare, MGM Resorts, Caesars Entertainment, Creos Luxembourg, Norton Healthcare, Fidelity National Financial, Tipalti, Henry Schein, Seiko, and MeridianLink. The group uses a multiple-extortion model, including data theft before encryption, public leak-site pressure, and in some cases extortion without deploying ransomware. The content states that affiliates have used advanced social engineering and open-source research for initial access, including impersonation of IT/helpdesk staff via phone calls or SMS to steal credentials. Other reported access and movement patterns include use of stolen credentials for remote services, credential dumping, lateral movement via PsExec, remote desktop protocol, and use of legitimate administrative tools. The malware is described as capable of encrypting both Windows and Linux systems, with newer versions designed to better evade defenses. The group also operated Tor-based leak and victim communication sites and used live-chat URLs to communicate demands and restoration processes. One reported tactic was increasing extortion pressure by reporting a victim to the U.S. SEC. The content repeatedly links Scattered Spider (also tracked as UNC3944, Octo Tempest, Muddled Libra, Scatter Swine, 0ktapus/Oktapus, and StarFraud) as an affiliate or partner in some ALPHV/BlackCat intrusions, including attacks on MGM Resorts, Caesars Entertainment, and activity associated with Change Healthcare. The content also notes reporting that Conti-linked actors shifted to groups including ALPHV, and one source states ALPHV operators had ties to Conti. Another article says BlackCat is believed to be a rebrand lineage following DarkSide and BlackMatter under law-enforcement pressure, though this is presented as belief/reporting rather than definitive attribution. Law enforcement significantly disrupted ALPHV/BlackCat infrastructure in December 2023, seizing multiple websites and obtaining hundreds of onion-service key pairs. The FBI said it developed a decryptor that helped dozens of victims and was made available to more than 500 organizations, avoiding about $68 million in ransom payments. Despite this, the group briefly appeared to contest control of its Tor infrastructure. In early 2024, the operation was reported to have conducted an exit scam after the Change Healthcare incident: an affiliate alleged ALPHV leadership kept a roughly $22 million ransom payment, shut off the affiliate account, posted a fake seizure notice, and then announced closure of the project and sale of source code. Multiple experts assessed the operators were likely to re-emerge under a new brand.