ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > ALPHV, BlackCat Gang

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: ALPHV, BlackCat Gang

NamesALPHV (self given)
ALPHVM (self given)
BlackCat Gang (?)
Country[Unknown]
MotivationFinancial gain
First seen2021
Description(Palo Alto) BlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety for its sophistication and innovation. Operating a ransomware-as-a-service (RaaS) business model, BlackCat was observed soliciting for affiliates in known cybercrime forums, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment. The remainder would be paid to the BlackCat author.

The threat actors leveraging BlackCat, often referred to as the 'BlackCat gang,' utilize numerous tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid and distributed denial-of-service (DDoS) attacks.
ObservedCountries: Worldwide.
Tools usedBlackCat, GO Simple Tunnel, LaZagne, MEGAsync, Mimikatz, PsExec, WebBrowserPassView.
Operations performedDec 2021Global IT services provider Inetum hit by ransomware attack
<https://www.bleepingcomputer.com/news/security/global-it-services-provider-inetum-hit-by-ransomware-attack/>
Dec 2021Fashion giant Moncler confirms data breach after ransomware attack
<https://www.bleepingcomputer.com/news/security/fashion-giant-moncler-confirms-data-breach-after-ransomware-attack/>
Jan 2022BlackCat ransomware implicated in attack on German oil companies
<https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/>
Jan 2022String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say
<https://therecord.media/string-of-cyberattacks-on-european-oil-and-chemical-sectors-likely-not-coordinated-officials-say/>
Feb 2022BlackCat (ALPHV) claims Swissport ransomware attack, leaks data
<https://www.bleepingcomputer.com/news/security/blackcat-alphv-claims-swissport-ransomware-attack-leaks-data/>
Apr 2022BlackCat, believed a rebranded version of the BlackMatter or DarkSide ransomware group, has claimed to have successfully targeted several organizations including a popular Nigerian betting platform Bet9ja, three universities - FIU, NCAT State University, AIT-Thailand, and the largest natural gas supplier in Latin America - TGS, in the past few days.
<https://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886>
Information<https://unit42.paloaltonetworks.com/blackcat-ransomware/>
<https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/>
<https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/>

Last change to this card: 04 May 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]