Technical Analysis of ALPHV/BlackCat Ransomware

mins read time
A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.
Mehardeep Singh Sawhney
Published on
May 22, 2023
Blog Image

In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.

BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.

Historical Campaign Overview

It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)

Technical Analysis

The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:

  • By using –verbose, the logs created by BlackCat will be displayed on the console. 
  • The –ui option displays a GUI-like display in the terminal window, showing the progress and information related to the files being encrypted on the system.
Screenshot of the GUI-like displayed shown upon using the UI option

Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.

List of the arguments that can be used while running the binary

Pre-Encryption Operations

As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.

Using GetCommandLineW to check whether the access token is correctly supplied

Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token. 

Ransom Note

Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.

Decrypted ransom note stored for later use

After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.

Privilege Escalation & UAC Bypass

BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.

The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.

Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges

Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.

BlackCat executes itself within the new thread with elevated privileges using the same arguments as before

After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.

List of privileges sought out by BlackCat


Using LookupPrivilegeValueW and AdjustTokenPrivileges in order to grant itself privileges

Finally, BlackCat ends its preparation for encryption by doing the following:

  • Deleting all volume shadow copies using vssadmin and wmic commads, thus making data recovery much harder.
  • Disabling Automatic Repair using bcdedit, in order to prevent the recovery of system-related files.
  • Clearing event logs.
  • Terminating all active services and processes.

Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.

Screenshot displaying the BlackCat configuration

Data Encryption

The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:

  • BlackCat first traverses the system by using a loop of FindFirstFile and FindNextFIle in order to find all the files on the system.
  • The ransom note is written to each directory using WriteFile.
Screenshot of the ransom note left by BlackCat

  • Using BCryptGenRandom, the ransomware calculates a random AES key.
  • A JSON block is created for each file, which contains the AES key that is used to encrypt the file, and information about the file.
JSON block containing information about the key and file

  • The AES key is further encrypted using the RSA public key stored in the BlackCat configuration.
  • The file is encrypted using AES, and the contents are written to the file using ReadFile and WriteFile. The new extension of the file is mentioned in the BlackCat configuration.
Using AES to encrypt the file

Post-Encryption Operations

Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note. 

Changed Desktop background

The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.

Indicators of Compromise (IoCs)







List of Security Privileges & Responsibilities Targeted by BlackCat

Security Privilege



Allows a process to increase the memory quota assigned to it.


Allows a process to read or modify the security settings of objects in the system.


Allows a process to take ownership of any object in the system.


Allows a process to load device drivers.


Allows a process to gather profiling information for the entire system.


Allows a process to change the system time.


Allows a process to profile a single process.


Allows a process to increase the base priority of a thread.


Allows a process to create a pagefile.


Allows a process to perform backup and restore operations.


Allows a process to restore backed-up objects.


Allows a process to shut down the system.


Allows a process to debug other processes.


Allows a process to modify system environment variables.


Allows a process to receive notifications when an object is modified.


Allows a process to shut down remote systems.


Allows a process to undock a laptop computer.


Allows a process to manage volume and disk configurations.


Allows a process to impersonate other users or groups.

YARA Rule for BlackCat Threat Hunting

rule win_blackcat_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

        7 of them and filesize < 29981696

Related Posts
Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.