ALPHV, also known as “BlackCat” (due to the black cat favicon used on the group’s Tor payment site) or “Noberus”, is a ransomware variant and ransomware extortion group that first emerged around November 2021. The group operates under a Ransomware-as-a-Service (RaaS) model, where the original ransomware product is sold to affiliates in illicit underground hacking communities such as XSS and Exploit.1
ALPHV is reportedly related to the other ransomware variants “BlackMatter” and “DarkSide” and is the first professional ransomware gang to utilize the Rust programming language.2 The operators of ALPHV have reportedly sought to recruit former members of the BlackMatter, DarkSide, and REvil groups, and several similarities have been identified between TTPs of both ALPHV and BlackMatter ransomware actors. The group has also recruited members on the “RAMP V3” forum, and despite being a mainly Russian-language group, has expressed interest in working with Chinese-language affiliates as well (provided that they also speak Russian).
One of the primary individuals advertising the ALPHV RaaS operates under the alias “ransom” and has emphasized the decentralized nature of their ransomware. ALPHV offers affiliates a larger revenue share than many other RaaS operations, with affiliates earning 80% of payments up to $1.5 million, 85% of payments up to $3 million and 90% of payments over $3 million.3
Notable TTPs and Attacks
Since ALPHV is relatively new, not many victims have been identified, however, reports indicate that the group has previously attacked victims in the US, Australia, and India.4 Antivirus company, Emsisoft, has also suggested that there may have been a total of 776 ALPHV incidents since the ransomware’s inception and pointed out that the group has also published on its leak site the stolen data of at least 40 organizations.5
One major ALPHV attack occurred in November 2021 when the German oil distributor “Oiltanking” was targeted. In total, the incident affected 13 fuel terminals and forced the company to shut down many of its automation processes. In total, more than 200 gas stations, mostly located in northern Germany, were impacted during the attack.6
Another substantial attack occurred in February 2022 when cargo handling provider “Swissport” was hit by the ransomware. ALPHV posted some sample files of the 1.6TB of stolen data to their data leak site, which included passports, internal business notes, and PII of job candidates.7
The group uses a triple-extortion tactic where they steal data before encrypting devices and threaten to publish the data if a ransom is not paid. However, different than many other ransomware gangs, ALPHV prioritizes negotiations and even provides victims with an intermediary login page to conduct private negotiations.8
ALPHV affiliates also implement multiple extortion techniques in addition to encryption of the victim’s network. These include uploading stolen data to a dedicated leak site maintained on Tor, threatening to sell and/or release additional information, and threatening the victim with Distributed Denial of Service (DDoS) attacks if they do not pay the ransom.
As mentioned before, the malware is written in Rust, is highly configurable, and has the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery. The ransomware also includes a JSON configuration, which permits customization of extensions, ransom notes, and more.9
Affiliates associated with ALPHV ransomware have used a variety of attack vectors to gain initial access to their victim networks, including phishing and brute-forcing credentials, exploiting known vulnerabilities or common security misconfigurations, using legitimate credentials purchased, using credentials for Remote Desktop Protocol (RDP) connections and commercial Virtual Private Network (VPN) products. Some identified TTPs include utilizing PowerShell to alter Windows Defender security settings, utilizing PsExec for lateral movement, tool transfer and execution, utilizing CobaltStrike for network access and lateral movement, and exfiltrating data to publicly available cloud file-sharing services.10
ALPHV offers a much higher rate to affiliates than other similar RaaS operators.
“ransom” has advertised that affiliates can receive 90% of the ransom payment if the payment is over $3M and 80% if the payment is up to $1.5M.
ALPHV ransom demands have ranged from $400,000 to $3 million.11
ALPHV has explicitly prohibited attacks on any nation belonging to the Commonwealth of Independent States, including Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, and Ukraine.
The group also prohibits attacks on government, healthcare, and educational institutions.
The first of its kind, the complex and customizable ALPHV ransomware is written in the Rust programming language.
The ALPHV group refuses to work with any English-speaking affiliates, prioritizing Russian speakers.
The ransomware group has very similar TTPs to other prolific ransomware gangs and has sought to recruit team members from BlackMatter, DarkSide, and REvil groups.