What is ALPHV/BlackCat?

When it comes to ransomware there are few criminal gangs more successful than ALPHV. This Russian-speaking crew, also known as BlackCat thanks to the icon that appears on every victim’s payment negotiation page, has a reputation for technical and criminal innovation.

Here’s everything you need to know about this ransomware-as-a-service criminal enterprise.

Related reading: Clop ransomware MOVEit attacks exposed email addresses of 632,000 Pentagon employees

Table of contents:

Who’s behind ALPHV/BlackCat ransomware?

The history of the ALPHV/BlackCat ransomware group extends beyond November 2021 when it emerged onto the cybercrime scene.

In fact, it is thought to have evolved from another high-profile group known as DarkSide. DarkSide was best known for the ransomware attack against the Colonial Pipeline energy company in May 2021, which led to increased global law enforcement interest.

DarkSide itself was comprised of former affiliates of the ReVIL group and operated on a ransomware-as-a-service model. All of these groups do business using Russian language, dark web criminal forums.

An FBI advisory published in April 2022 suggests there is enough evidence to link ALPHV/BlackCat developers to these groups.

How does ALPHV/BlackCat ransomware work?

From a technical perspective, the ALPHV/BlackCat ransomware was the first known to be written using the Rust programming language. This is important as Rust makes malware analysis more difficult, and that includes being able to extract the decryptor through reverse engineering.

The software itself is capable of encrypting (and exfiltrating) data on Linux and Windows devices, and even virtual machines using VMware. As well as being cross platform, it can also be customised for each target.

ALPHV favours two attack methodologies. The first is our old friend unpatched vulnerabilities, the second targeted spearphishing. This largely depends, however, on who is responsible for the attack in question.

Using the ransomware-as-a-service model, attacks are handled by ‘affiliates’ who earn as much as 90% of ransoms paid, based on the size of the final payment. This means there is no strict playbook of tactics, techniques and procedures for any ransomware deployment.

Affiliates are recruited through criminal forums. Once approved, they get access to the malware and a sophisticated control panel. They use this to deploy the ransomware and employ additional pressure on victims to pay by using a triple-extortion process.

As well as stealing data and then encrypting the source, a public ‘leak site’ is employed to share data. Finally, there’s the ability to launch denial of service attacks to add to the chaos.

Who does ALPHV/BlackCat target?

The sad truth of the matter is that no organisation, no industry sector, is safe. So far, attacks have targeted everything from financial to manufacturing, from retail to education, not to mention government agencies.

We saw this in 2022, when American defence contractor NJVC was hit. In 2023, ALPHV/BlackCat shifted its targets to 2023 MGM Resorts International (including its casinos), the Northwest Florida state court and Western Digital.

You may have seen the MGM attack attributed to Scattered Spider, a relatively new group of threat actors, but that’s because it is an ALPHV/BlackCat affiliate.

Geographically speaking, ALPHV appears to favour the US and Europe. And due no doubt to the huge ransoms being demanded, it has lately focused on larger organisations.

What can you do to protect yourself from ALPHV/BlackCat ransomware attacks?

As already mentioned, ALPHV favours spearphishing and unpatched vulnerabilities. On the former method, we have seen specific employees and directors targeted to gain login credentials. On the latter, it loves two-year-old Microsoft Exchange server flaws, or even older ones impacting Windows, plus vulnerabilities in firewalls and VPNs.

Therefore, the best way to protect yourself from ALPHV/BlackCat ransomware attacks is through basic security hygiene. First, implement both phishing awareness training and multi-factor authentication to protect credentials. Second, ensure high-risk vulnerabilities are patched as soon as possible.

These should be considered a bare minimum when it comes to attack mitigation, but we would go a step further.

Network segregation, VLANs and access management

Because ALPHV/BlackCat is ‘human operated’ ransomware, rather than an automated process, lateral movement once inside a network is progressed using a number of highly effective tools. That’s why you should consider network segregation/isolation by employing VLANs. If every machine on a network can see every other machine, the attackers will quickly and easily scan for valuable target destinations.

Employing the principle of least privilege, whereby users are only able to access networks and data that are required by their job function, is another mitigation tactic that can prevent lateral network movement.

In essence, anything that you can do to reduce the attack surface, to make your networks less traversable and your data less accessible, means ransomware attacks are less likely to succeed.

Less likely is not the same as guaranteed to fail, of course. It is essential, therefore, that your organisation should also have a robust and well-rehearsed incident response plan should the worst-case scenario come into play. This will make damage limitation and recovery much easier during times of extreme stress.

We cover more about incident response plans in our ransomware guide: cyberattack demons vs angels.

Additional reading

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.