Ransomware Group Profile: BlackCat (Alphv-ng)

Our Research team analysed the profile of the ransomware group dubbed BlackCat. This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.

Updated on

February 27, 2023

Published on

January 7, 2022

Read time

Subscribe to the latest industry news, technologies and resources.

Report Type	Threat Actor Profiling
Research Subject	Threat Actor Handle: BlackCat
TLP	GREEN

Executive Summary

CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group dubbed BlackCat.
This group doesn’t have an online presence apart from an exclusive Onion site, where they post their activities, updates, and targeted victims.
BlackCat is the first known professional ransomware group to use the Rust programming language.
CloudSEK’s Threat Intelligence team conducted further research to analyze the group’s operations and Tactics, Techniques, and Procedures (TTPs).

Detailed Analysis

Information from the BlackCat Onion Site

BlackCat, also known as ALPHVM, is a newly emerged ransomware group that maintains a presence on the dark web. They are currently linked to two different websites, a leak site called ALPHVM and BlackCat.

Information from the Social Media

BlackCat has garnered a lot of attention on Twitter for being a Rust-based ransomware group. One of the initial groups of threat actors that used Rust as a part of their arsenal were the BadBeeTeam Ransomware.
Some Twitter users such as Dark Tracers mention that BlackCat has four Onion sites in operation.
There are various speculations on who the operators behind such a complicated malware could be. However, researchers along with some notorious threat actors, claim that the BlackCat ransomware group operators were formerly associated with the REvil ransomware group.

Information from Discussions on Cybercrime Forums

ALPHV was a former member of the REvil group, which suggests that the BlackCat ransomware group is most likely associated with the REvil ransomware group.
A member of the LockBit ransomware group has claimed that BlackCat is the rebranded version of BlackMatter/ DarkSide.

*Post shared by the threat actor on the English speaking cybercrime forum*

Besides, there are discussions on how the group used Russian cybercrime forums to recruit affiliates to work with them. They are also keen on hiring pentesters skilled in Windows, Linux, and ESXi, which are their encryption targets.
CloudSEK’s Threat Intelligence team picked up similar recruitment posts that were published between 8 December 2021 to 12 December 2021. The posts mention that the partners will receive 80%-90% of the final ransom amount, obtained through double extortion.
Even months prior to the emergence of the BlackCat ransomware, the book ‘Black Hat Rust’ was distributed across cybercrime forums, and accesses to ESXi devices were being actively traded.
So far, the list of victims affected by Alphv-ng/ BlackCat ransomware are:
- Star World Wide (Posted on 30 November 2021)
- New City Commercial Corporation (Posted on 9 December 2021)
A threat actor on an English cybercrime forum, recently requested for affiliates and access from selected countries. The actor’s profile picture and the profit percentages being offered indicate that they could be operators or affiliates of the BlackCat ransomware group.
The actor has requested for accesses to entities from the following countries:
- United States
- Ukraine
- Switzerland.
They have also shared a rate card for potential affiliates to consider:

Information from Open-Source

Threat actors have now released Linux-based variants of the BlackCat ransomware.
Users engaged in related discussions are releasing the samples for the Linux-based variants.
Based on EcuCERT, the malware is said to affect:
- Windows 7 and higher (7, 8.1, 10, 11; 2008r2, 2012, 2016, 2019, 2022); XP and 2003
- ESXI (tested on 5.5, 6.5, 7.0.2u)
- Debian (tested on 7, 8, 9)
- Ubuntu (tested on 18.04, 20.04)
- ReadyNAS, Synology