Names | ALPHV (self given) ALPHVM (self given) BlackCat Gang (?) | |
Country | [Unknown] | |
Motivation | Financial gain | |
First seen | 2021 | |
Description | (Palo Alto) BlackCat (aka ALPHV) is a ransomware family that surfaced in mid-November 2021 and quickly gained notoriety for its sophistication and innovation. Operating a ransomware-as-a-service (RaaS) business model, BlackCat was observed soliciting for affiliates in known cybercrime forums, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment. The remainder would be paid to the BlackCat author. The threat actors leveraging BlackCat, often referred to as the 'BlackCat gang,' utilize numerous tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid and distributed denial-of-service (DDoS) attacks. | |
Observed | Countries: Worldwide. | |
Tools used | BlackCat, GO Simple Tunnel, LaZagne, MEGAsync, Mimikatz, PsExec, WebBrowserPassView. | |
Operations performed | Dec 2021 | Global IT services provider Inetum hit by ransomware attack <https://www.bleepingcomputer.com/news/security/global-it-services-provider-inetum-hit-by-ransomware-attack/> |
Dec 2021 | Fashion giant Moncler confirms data breach after ransomware attack <https://www.bleepingcomputer.com/news/security/fashion-giant-moncler-confirms-data-breach-after-ransomware-attack/> | |
Jan 2022 | BlackCat ransomware implicated in attack on German oil companies <https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/> | |
Jan 2022 | String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say <https://therecord.media/string-of-cyberattacks-on-european-oil-and-chemical-sectors-likely-not-coordinated-officials-say/> | |
Feb 2022 | BlackCat (ALPHV) claims Swissport ransomware attack, leaks data <https://www.bleepingcomputer.com/news/security/blackcat-alphv-claims-swissport-ransomware-attack-leaks-data/> | |
Apr 2022 | BlackCat, believed a rebranded version of the BlackMatter or DarkSide ransomware group, has claimed to have successfully targeted several organizations including a popular Nigerian betting platform Bet9ja, three universities - FIU, NCAT State University, AIT-Thailand, and the largest natural gas supplier in Latin America - TGS, in the past few days. <https://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886> | |
May 2022 | Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, also known as ALPHV, who demanded a $5 million to unlock the encrypted computer systems. <https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/> | |
May 2022 | Lockbit, Hive, and BlackCat attack automotive supplier in triple ransomware attack <https://news.sophos.com/en-us/2022/08/10/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack/> | |
Jun 2022 | Louisiana authorities investigating ransomware attack on city of Alexandria <https://therecord.media/louisiana-authorities-investigating-ransomware-attack-on-city-of-alexandria/> | |
Jun 2022 | BlackCat Attacks University of Pisa, Demands $4.5M Ransom <https://www.bankinfosecurity.com/blackcat-attacks-university-pisa-demands-45m-ransom-a-19338> | |
Jun 2022 | Ransomware gang creates site for employees to search for their stolen data <https://www.bleepingcomputer.com/news/security/ransomware-gang-creates-site-for-employees-to-search-for-their-stolen-data/> | |
Jul 2022 | BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands <https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands> | |
Jul 2022 | Bandai Namco confirms hack after ALPHV ransomware data leak threat <https://www.bleepingcomputer.com/news/security/bandai-namco-confirms-hack-after-alphv-ransomware-data-leak-threat/> | |
Jul 2022 | The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country. <https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-european-gas-pipeline/> | |
Aug 2022 | Major airline technology provider Accelya attacked by ransomware group <https://therecord.media/major-airline-technology-provider-accelya-attacked-by-ransomware-group/> | |
Aug 2022 | The BlackCat/ALPHV ransomware gang claimed responsibility for an attack that hit the systems of Italy's energy agency Gestore dei Servizi Energetici SpA (GSE) over the weekend. <https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-italian-energy-agency/> | |
Sep 2022 | “BlackCat” attempts to up the pressure on Suffolk County; starts to leak data? <https://www.databreaches.net/blackcat-attempts-to-up-the-pressure-on-suffolk-county-starts-to-leak-data/> | |
Sep 2022 | BlackCat said they breached US Department of Defense contractor and went offline <https://cybernews.com/news/blackcat-breached-department-of-defense-contractor-went-offline/> | |
Dec 2022 | Colombian energy supplier EPM hit by BlackCat ransomware attack <https://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/> | |
Dec 2022 | Toy maker Jakks Pacific reports cyberattack after multiple ransomware groups leak data <https://therecord.media/toy-maker-jakks-pacific-reports-cyberattack-after-multiple-ransomware-groups-post-stolen-data/> | |
Dec 2022 | Ransomware gang cloned victim’s website to leak stolen data <https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/> | |
Jan 2023 | The BlackCat Ransomware group claims to have hacked SOLAR INDUSTRIES INDIA and to have stolen 2TB of “secret military data.” <https://securityaffairs.com/141409/data-breach/blackcat-ransomware-solar-industries-india.html> | |
Jan 2023 | BlackCat Adds Indian Missile Fuel Maker to Its Victims List <https://www.bankinfosecurity.com/blackcat-adds-indian-missile-fuel-maker-to-its-victims-list-a-21089> | |
Information | <https://unit42.paloaltonetworks.com/blackcat-ransomware/> <https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/> <https://therecord.media/an-alphv-blackcat-representative-discusses-the-groups-plans-for-a-ransomware-meta-universe/> <https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-blackcat-alphav-> |
Last change to this card: 17 February 2023
Download this actor card in PDF or JSON format
Previous: Allanite
Next: Anchor Panda, APT 14
Digital Service Security Center Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1227 | |
![]() |
[email protected] |