Threat Actor Profile
Critical
Cybercriminal
Description
The operators of the ALPHV/BlackCat ransomware began their activity in December 2021, making posts on Dark Web forums to promote their affiliate program, offering other actors the opportunity to engage in a 'new type of ransomware family' developed from scratch using the Rust programming language. Some clear evidence indicates that the actors behind this new ransomware are not new to cybercrime, and there were links to other affiliate programs such as DarkSide, BlackMatter, and REvil. (After several attacks against large companies, these groups faced pressure and arrests, necessitating the termination of their operations). As a security measure, the operators of ALPHV implemented the requirement for the execution of the ransomware payload by providing an 'access token,' which is supplied by the owners of the Ransomware-as-a-Service to the affiliate. This token is added to the victim's ransom note so that they can contact the threat actor responsible for encrypting the data. ALPHV affiliates employ double and triple extortion techniques, meaning the publication of the company's name on leak sites, threats of data leakage, and lastly, threats of DDoS attacks against the organization. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Known Aliases
blackcat
Tags
ransomware
ransomware.live
blackcat
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (32)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The operators of the ALPHV/BlackCat ransomware began their '
'activity in December 2021, making posts on Dark Web forums to '
'promote their affiliate program, offering other actors the '
"opportunity to engage in a 'new type of ransomware family' "
'developed from scratch using the Rust programming '
'language.<BR> <BR> Some clear evidence indicates that the '
'actors behind this new ransomware are not new to cybercrime, '
'and there were links to other affiliate programs such as '
'DarkSide, BlackMatter, and REvil. (After several attacks '
'against large companies, these groups faced pressure and '
'arrests, necessitating the termination of their '
'operations).<BR> <BR> As a security measure, the operators of '
'ALPHV implemented the requirement for the execution of the '
"ransomware payload by providing an 'access token,' which is "
'supplied by the owners of the Ransomware-as-a-Service to the '
"affiliate. This token is added to the victim's ransom note so "
'that they can contact the threat actor responsible for '
'encrypting the data.<BR> <BR> ALPHV affiliates employ double '
'and triple extortion techniques, meaning the publication of '
"the company's name on leak sites, threats of data leakage, "
'and lastly, threats of DDoS attacks against the '
'organization.<BR>Source: '
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2021-09-09T23:46:53.997398+00:00',
'group': 'alphv',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2024-03-03T15:40:36.123456+00:00',
'locations': [{'available': False,
'fqdn': '2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion',
'slug': 'http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion',
'slug': 'http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/search',
'title': '\xa0',
'type': 'DLS'},
{'available': False,
'fqdn': 'alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion',
'slug': 'http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/12',
'title': 'THIS WEBSITE HAS BEEN SEIZED',
'type': 'DLS'},
{'available': False,
'fqdn': 'alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion',
'slug': 'http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion',
'title': 'THIS WEBSITE HAS BEEN SEIZED',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': '2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion',
'slug': 'http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion',
'slug': 'http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/search',
'title': '\xa0',
'type': 'DLS'},
{'available': False,
'fqdn': 'alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion',
'slug': 'http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/12',
'title': 'THIS WEBSITE HAS BEEN SEIZED',
'type': 'DLS'},
{'available': False,
'fqdn': 'alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion',
'slug': 'http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion',
'title': 'THIS WEBSITE HAS BEEN SEIZED',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'ransomware_live_group': 'alphv',
'tools': {},
'url': 'https://www.ransomware.live/group/alphv',
'victims': 731,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'In some attacks, threat '
'actors utilized ProxyShell '
'vulnerabilities '
'(CVE-2021-34473, '
'CVE-2021-34523, '
'CVE-2021-31207).',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'},
{'technique_details': 'As an initial attack vector, '
'insecure RDP and VPNs were '
'exploited.',
'technique_id': 'T1133',
'technique_name': 'External Remote Services'},
{'technique_details': 'BlackCat affiliates may '
"purchase access to victims' "
'network infrastructure on '
'underground forums.',
'technique_id': 'T1190',
'technique_name': 'Exploit Public-Facing '
'Application'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'BlackCat uses native API.',
'technique_id': 'T1106',
'technique_name': 'Native API'},
{'technique_details': 'When deploying ransomware on '
"the victim's network "
'infrastructure, BlackCat '
'affiliates may leverage group '
'policies, resulting in the '
'creation of a scheduled task '
'(on each host) initiating the '
'ransomware.',
'technique_id': 'T1053',
'technique_name': 'Scheduled Task/Job'},
{'technique_details': 'LockBit affiliates use batch '
'scripts to execute malicious '
'commands.',
'technique_id': 'T1059.003',
'technique_name': 'Command and Scripting '
'Interpreter: Windows Command '
'Shell'},
{'technique_details': 'To disrupt IIS, delete volume '
'shadow copies, disable '
'recovery, clear Windows event '
'logs, etc., BlackCat '
'ransomware utilizes command '
'shell to execute appropriate '
'commands.',
'technique_id': 'T1059.001',
'technique_name': 'Command and Scripting '
'Interpreter: PowerShell'},
{'technique_details': 'BlackCat Ransomware for '
'Windows can self-propagate on '
'the local network using '
'legitimate PsExec utility '
'(contained within its body), '
'which creates a temporary '
'system service.',
'technique_id': 'T1569.002',
'technique_name': 'System Services: Service '
'Execution'},
{'technique_details': 'Adversaries may use wmic to '
'gather information and '
'execute various commands, '
'including deleting volume '
'shadow copies. They may also '
"use Impacket's wmiexec module "
'to execute commands and move '
'laterally across the network.',
'technique_id': 'T1072',
'technique_name': 'Windows Management '
'Instrumentation'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Legitimate accounts obtained '
'by adversaries may be used to '
'ensure persistence in the '
'compromised infrastructure.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'},
{'technique_details': 'Successful exploitation of '
'ProxyShell vulnerabilities '
'allowed adversaries to place '
'a web shell on a vulnerable '
'Microsoft Exchange server.',
'technique_id': 'T1547',
'technique_name': 'Server Software Component'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'To escalate privileges, '
'BlackCat ransomware may '
'initiate its process using '
'stolen authentication data '
'and the '
'CreateProcessWithLogonW '
'function.',
'technique_id': 'T1134.002',
'technique_name': 'Access Token Manipulation: '
'Create Process with Token'},
{'technique_details': 'To bypass UAC, BlackCat '
'ransomware may elevate '
'privileges using the '
'ICMLuaUtil COM interface, as '
'well as utilize the '
'Masquerade PEB method.',
'technique_id': 'T1548.002',
'technique_name': 'Abuse Elevation Control '
'Mechanism: Bypass User Account '
'Control'},
{'technique_details': 'To escalate privileges, '
'BlackCat may use stolen '
'legitimate accounts specified '
'in configuration data.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'BlackCat ransomware uses '
'obfuscation.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'To avoid detection, '
'adversaries terminate '
'processes and services '
'related to security software '
'and antivirus.',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'},
{'technique_details': 'Using wevtutil, BlackCat can '
'clear all Windows event logs '
'on a compromised host.',
'technique_id': 'T1070.001',
'technique_name': 'Indicator Removal: Clear Windows '
'Event Logs'},
{'technique_details': 'BlackCat decrypts '
'configuration data, as well '
'as decrypts and unpacks '
'legitimate PsExec utility and '
'an additional BAT file '
'contained within the '
'ransomware body.',
'technique_id': 'T1140',
'technique_name': 'Deobfuscate/Decode Files or '
'Information'},
{'technique_details': 'For anti-analysis (including '
'in a sandbox), ALPHV MORPH '
'checks the access token value '
'of the command line '
'parameter. Its value must '
'contain the correct first 16 '
'characters used to decrypt '
"BlackCat's configuration "
'data.',
'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_details': 'Adversaries use a renamed '
'SoftPerfect Network Scanner '
'executable to svchost.exe.',
'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_details': 'To propagate, BlackCat uses '
'PsExec to modify the MaxMpxCt '
'system registry parameter to '
'increase the number of failed '
'network requests for each '
'client.',
'technique_id': 'T1112',
'technique_name': 'Modify Registry'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Adversaries may use NirSoft '
'utilities to extract '
'authentication data from web '
'browsers and other storage '
'spaces.',
'technique_id': 'T1555',
'technique_name': 'Credentials from Password '
'Stores'},
{'technique_details': 'Adversaries may use NirSoft '
'utilities to obtain '
'authentication data from '
'registry and file.',
'technique_id': 'T1552',
'technique_name': 'Unsecured Credentials'},
{'technique_details': 'Adversaries may dump the '
'LSASS process to obtain '
'authentication data using '
'legitimate tools (procdump, '
'comsvcs.dll).',
'technique_id': 'T1003.001',
'technique_name': 'OS Credential Dumping: LSASS '
'Memory'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'If credentials to access a '
"victim's chat leak, BlackCat "
'affiliates can delete '
'encryption keys, rendering '
'file decryption impossible.',
'technique_id': 'T1485',
'technique_name': 'Data Destruction'},
{'technique_details': 'BlackCat encrypts the content '
'of files on the local system '
'as well as on available '
'network resources.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'BlackCat stops security, '
'backup, database, email, and '
'other specified services in '
'the configuration.',
'technique_id': 'T1489',
'technique_name': 'Service Stop'},
{'technique_details': 'BlackCat deletes Windows '
'volume shadow copies using '
'vssadmin and wmic, disables '
'recovery in the Windows boot '
'menu using bccedit, and '
'empties the Recycle Bin. '
'BlackCat can stop backup '
'services and destroy virtual '
'machine snapshots.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_details': 'If the victim refuses to pay '
'the ransom, BlackCat may '
'conduct DDoS attacks against '
"the victim's infrastructure.",
'technique_id': 'T1498',
'technique_name': 'Network Denial of Service'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'When using Cobalt Strike, '
'attackers can send collected '
'information through the '
'Cobalt Strike server '
'communication channels.',
'technique_id': 'T1041',
'technique_name': 'Exfiltration Over C2 Channel'},
{'technique_details': 'After access is obtained, '
'files from target hosts are '
'automatically uploaded to the '
'legitimate cloud storage '
'service MEGA using the Rclone '
'utility.',
'technique_id': 'T1020',
'technique_name': 'Automated Exfiltration'},
{'technique_details': 'To avoid exceeding data size '
'limits and triggering '
'security controls, stolen '
'data may be sent in '
'fixed-size blocks.',
'technique_id': 'T1030',
'technique_name': 'Data Transfer Size Limits'},
{'technique_details': 'Attackers may use the '
'ExMatter exfiltration tool, '
'which sends stolen data to '
'specified SFTP and WebDav '
'resources in the ExMatter '
'configuration.',
'technique_id': 'T1048.002',
'technique_name': 'Exfiltration Over Alternative '
'Protocol: Exfiltration Over '
'Asymmetric Encrypted Non-C2 '
'Protocol'},
{'technique_details': 'Attackers use the Rclone sync '
'utility to upload stolen data '
'to the legitimate cloud '
'storage service MEGA.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service: '
'Exfiltration to Cloud '
'Storage'}]}],
'url': 'https://www.ransomware.live/group/alphv',
'victims': 731,
'vulnerabilities': []}