BlackCat
BlackCat, also known as ALPHV, ALPHV BlackCat, and Noberus, is a ransomware strain and ransomware-as-a-service (RaaS) operation active from at least late 2021. The provided content states it was used to attack and extort hundreds of institutions worldwide and was tied to more than 1,000 victims over an 18-month period. Reported victim sectors and targeting include healthcare, manufacturing, education, entertainment, hospitality, energy, government facilities, emergency services, defense industrial base companies, schools, law firms, financial firms, universities, and other enterprises globally.
The malware is associated with the ALPHV/BlackCat ransomware group and its affiliates, including Scattered Spider / UNC3944 / Octo Tempest / Muddled Libra. The content also links BlackCat activity to DEV-0504 in energy-sector intrusions and notes that operators and affiliates collaborated with both Russian-speaking and English-speaking actors. BlackCat was described as one of the first high-profile examples of triple-extortion ransomware, and multiple references describe double- or multiple-extortion behavior involving data theft, encryption, and leak-site pressure.
Observed behavior in the content includes deletion of Volume Shadow Copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete, as well as modification of boot recovery settings using bcdedit /set {default} recoveryenabled No to inhibit recovery. BlackCat can also use wmic.exe on compromised networks, including for shadow-copy deletion. The content further states that BlackCat broadcast NetBIOS Name Service messages to search for servers on compromised networks, and that related intrusion activity commonly involved lateral movement using stolen credentials and standard ransomware encryption routines. In broader intrusion chains associated with affiliates, WMI/WMIC, Impacket, remote management tools, and data exfiltration were used.
The content links BlackCat to major extortion incidents and law-enforcement actions. It was used in attacks against organizations such as MGM Resorts and Caesars Entertainment via Scattered Spider affiliates, and ALPHV directly claimed attacks against Norton Healthcare, Fidelity National Financial, and Tipalti. U.S. authorities described ALPHV/BlackCat as the second-most prolific ransomware-as-a-service group globally, with global losses in the hundreds of millions of dollars. The FBI and international partners infiltrated and disrupted ALPHV infrastructure, seized multiple websites, and developed a decryptor that reportedly helped dozens of victims restore systems and avoid about $68 million in ransom payments; the decryptor was said to be available to more than 500 victim organizations.
The content also notes criminal cases involving BlackCat operators and affiliates, including U.S. indictments and guilty pleas tied to deployment of BlackCat ransomware against U.S. victims in sectors such as medical devices, pharmaceuticals, healthcare, engineering, and drone manufacturing. Infection vectors mentioned in the content include social engineering and credential theft by affiliates, phishing, MFA fatigue, SIM swapping, valid-account abuse, and initial-access malware such as Nitrogen that enabled later BlackCat deployment. High-confidence aliases from the content are ALPHV, ALPHV BlackCat, and Noberus.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
15 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An analysis of ‘exp.exe’ indicated that it is a privilege escalation tool based on the exploitation of CVE-2022-24521 – a vulnerability in the Windows Common Log File System (CLFS) Driver, known to be used by several ransomware groups.
Afin de se latéraliser, les opérateurs du MOA ont tenté, sans succès, d’exploiter les vulnérabilités PrintNightmare (CVE-2021-34527), BlueKeep (CVE-2019-0708), puis ZeroLogon (CVE-2020-1472) via l’outil Mimikatz.
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
Groups observed using it
12 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The 2023 Muddled Libra (operators of ALPHV aka BlackCat ransomware) campaign against entertainment organizations demonstrated that the hospitality stack is a target for ransomware operators.
Vanilla Tempest ... has frequently targeted sectors, including education, healthcare, IT, and manufacturing, using various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The activities were ultimately identified as a financial extortion attack executed by the BlackCat (ALPHV) ransomware group or one of its affiliates, and included a massive data exfiltration.
DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.
DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022.
Nitrogen was first observed in 2023, using ALPHV, one of the most prevalent ransomware variants at that time.
...delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
"BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild."
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniquesThe Scattered Spider actors affiliated with BlackCat are also known to use the ransomware gang's data leak site as part of their extortion attempts, where they leak data or issue statements.
Scattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV... DiMaggio listened in on this call, which was one of the group's recent attempts to infiltrate American retail organizations.
Initial Access
1 techniqueExecution
4 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to a protected computer
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Counsel said that a page on the darkweb, a collection of websites that can only be accessed by a specific browser, was located where the ransom demands were outlined.
Persistence
2 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Defense Impairment
1 techniqueDiscovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
2 techniquesAfter establishing a foothold on the network, Scattered Spider uses a range of publicly available software tools for reconnaissance and lateral movement, including ... Screenconnect ... Splashtop ... Teamviewer ... Tailscale ... Ngrok
According to the Shodan search engine, the two hostnames were associated with thousands of internet-facing devices exposing RDP services (TCP port 3389) in December 2025.
Command and Control
2 techniquesThe infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.
Most recently, IcedID has reportedly been used to download and execute Quantum Locker ransomware... Emotet is being used to load Quantum and ALPHV ransomware... and is being used to load and execute IcedID.
Exfiltration
3 techniquesA new tactic observed in the threat group’s recent attacks is data exfiltration and file encryption using the ALPHV/BlackCat ransomware, followed by communication with the victims ... to negotiate a ransom payment.
The affiliate then gained access to the victim's network to steal data and deploy the ransomware to encrypt data and leave a ransom note.
The victim was directed to the ALPHV BlackCat panel hosted on the dark web where the victim could communicate with the ransomware group to negotiate the ransom.
Impact
5 techniquesThe 2023 Muddled Libra (operators of ALPHV aka BlackCat ransomware) campaign against entertainment organizations demonstrated that the hospitality stack is a target for ransomware operators
Examples include 'Avaddon uses wmic.exe to delete shadow copies,' 'BlackCat can use wmic.exe to delete shadow copies on compromised networks,' and 'WannaCry utilizes wmic to delete shadow copies.'
BlackCat was one of the first high-profile examples of triple extortion ransomware. Along with encryption and data extortion, it used a third technique: adding DDoS components to the attack.
MARTINO also provided confidential information regarding ransomware negotiations to ALPHV BlackCat co-conspirators while employed at Company 1 as a ransomware negotiator.
In one instance, the three men extorted a victim for roughly $1.2 million in Bitcoin and then split the proceeds. | Starting in April of that year, while working as a negotiator on behalf of five ransomware victims, Martino shared confidential information with BlackCat attackers about his clients’ positions and strategies to help maximize their ransom payments. That information included details such as victims’ insurance policy limits and other internal negotiation positions.
Other
1 techniqueIOCs tracked for this family
106 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BlackCat is referenced as a ransomware family in a related article title only; no operational details are provided in the main content.
Ransomware family operated by Muddled Libra/BlackCat affiliates and cited here as evidence that hospitality and entertainment environments are attractive ransomware targets.
Named ransomware family mentioned only in a related-article teaser, without substantive discussion in the main content.
Named ransomware family mentioned as previously associated with attacks involving the same computer name observed in related malicious activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.