Ransomware Group Profile: BlackCat (Alphv-ng)

Our Research team analysed the profile of the ransomware group dubbed BlackCat. This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.
Updated on
April 19, 2023
Published on
January 7, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Report TypeThreat Actor Profiling
Research SubjectThreat Actor Handle: BlackCat
TLPGREEN

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group dubbed BlackCat.
  • This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.
  • BlackCat is the first known professional ransomware group to use the Rust programming language. 
  • CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs). 

Detailed Analysis

Information from the BlackCat Onion Site

  • BlackCat, also known as ALPHVM, is a newly emerged  ransomware group that maintains a presence on the dark web. They are currently linked to two different websites, a leak site called ALPHVM and BlackCat.

ALPHVM’s Onion site

Information from the Social Media

  • BlackCat has garnered a lot of attention on Twitter for being a Rust-based ransomware group. One of the initial groups of threat actors that used Rust as a part of their arsenal were the BadBeeTeam Ransomware. 
  • Some Twitter users such as Dark Tracers mention that BlackCat has four Onion sites in operation. 
  • There are various speculations on who the operators behind such a complicated malware could be. However, researchers along with some notorious threat actors, claim that the BlackCat ransomware group operators were formerly associated with the REvil ransomware group. 

Information from Discussions on Cybercrime Forums

  • ALPHV was a former member of the REvil group, which suggests that the BlackCat ransomware group is most likely associated with the REvil ransomware group.
  • A member of the LockBit ransomware group has claimed that BlackCat is the rebranded version of BlackMatter/ DarkSide. 
Forum Post
Post shared by the threat actor on the English speaking cybercrime forum
  • Besides, there are discussions on how the group used Russian cybercrime forums to recruit affiliates to work with them. They are also keen on hiring pentesters skilled in Windows, Linux, and ESXi, which are their encryption targets. 
  • CloudSEK’s Threat Intelligence team picked up similar recruitment posts that were published between 8 December 2021 to 12 December 2021. The posts mention that the partners will receive 80%-90% of the final ransom amount, obtained through double extortion.
  • Even months prior to the emergence of the BlackCat ransomware, the book ‘Black Hat Rust’ was distributed across cybercrime forums, and accesses to ESXi devices were being actively traded. 
  • So far, the list of victims affected by Alphv-ng/ BlackCat ransomware are:
    • Star World Wide (Posted on 30 November 2021)
    • New City Commercial Corporation (Posted on 9 December 2021)
  • A threat actor on an English cybercrime forum, recently requested for affiliates and access from selected countries. The actor’s profile picture and the profit percentages being offered indicate that they could be operators or affiliates of the BlackCat ransomware group.
  • The actor has requested for accesses to entities from the following countries: 
    • United States
    • Ukraine
    • Switzerland. 
  • They have also shared a rate card for potential affiliates to consider:


Information from Open-Source

  • Threat actors have now released Linux-based variants of the BlackCat ransomware. 
  • Users engaged in related discussions are releasing the samples for the Linux-based variants.
  • Based on EcuCERT, the malware is said to affect:
    • Windows 7 and higher (7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003
    • ESXI (tested on 5.5, 6.5, 7.0.2u) 
    • Debian (tested on 7, 8, 9)
    • Ubuntu (tested on 18.04, 20.04) 
    • ReadyNAS, Synology 

IOCs for the BlackCat Ransomware


Windows Variant

  • bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117
  • 28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169
  • 2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc
  • 5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898
  • 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161
  • 59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f
  • c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283
  • 658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582
  • 7154fdb1ef9044da59fcfdbdd1ed9abc1a594cacb41a0aeddb5cd9fdaeea5ea8
  • c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486
  • cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae
  • 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
  • b588823eb5c65f36d067d496881d9c704d3ba57100c273656a56a43215f35442
  • 7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e
  • 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
  • 38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1
  • 7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487
  • cda37b13d1fdee1b4262b5a6146a35d8fc88fa572e55437a47a950037cc65d40
  • f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

Linux Variant

  • f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
  • 5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42

 References


[1] https://github.com/CyberSoldiers/IOCs/blob/main/BlackCat_Ransomware 

[2] https://twitter.com/EcuCERT_EC/status/1471506980413997071

 Appendix


BlackCat affiliate program on a cybercrime forum

Possible connection with BlackCat affiliate program on a cybercrime forum

Threat actors showing interest to work with ransomware affiliates

Newly emerged Linux variants of the BlackCat Ransomware

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations