BlackCat (ALPHV)
activeAlso known as: ALPHV, Noberus
BlackCat/ALPHV is a sophisticated Ransomware-as-a-Service operation written in Rust, making it cross-platform capable. Known for triple extortion tactics including data encryption, data theft threats, and DDoS attacks.
First Seen
2021-11
Last Activity
2025-01
Target Regions
3 regions
Industries
5 sectors
HealthcareLegal ServicesTechnologyEnergyRetail
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by BlackCat (ALPHV)
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Indicators of Compromise (IOCs)
Known IOCs associated with BlackCat (ALPHV) operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | b2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3 | ALPHV ransomware binary | 2025-01-08 | |
| domain | alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad[.]onion | Tor leak site | — |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying BlackCat (ALPHV) activity
- 1Monitor for bcdedit safe mode boot modifications
- 2Detect Rust-based executables with high entropy
- 3Alert on mass file access patterns
- 4Monitor for ExMatter data exfiltration tool
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Isolate infected systems immediately
- 2Block all IOCs at network perimeter
- 3Preserve evidence for forensic analysis