SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.blackcat (Back to overview)

BlackCat

aka: ALPHV, Noberus

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

References
2023-07-13MSSP Labcocomelonc
@online{cocomelonc:20230713:malware:3f2bf4a, author = {cocomelonc}, title = {{Malware analysis report: BlackCat ransomware}}, date = {2023-07-13}, organization = {MSSP Lab}, url = {https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html}, language = {English}, urldate = {2023-07-17} } Malware analysis report: BlackCat ransomware
BlackCat BlackCat
2023-05-30IBM SecurityIBM Security X-Force Team
@online{team:20230530:blackcat:c65947f, author = {IBM Security X-Force Team}, title = {{BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration}}, date = {2023-05-30}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/}, language = {English}, urldate = {2023-08-22} } BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration
BlackCat BlackCat
2023-05-15CrowdStrikeCrowdStrike
@online{crowdstrike:20230515:hypervisor:2fc5adc, author = {CrowdStrike}, title = {{Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks}}, date = {2023-05-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/}, language = {English}, urldate = {2023-07-31} } Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-21Github (rivitna)Andrey Zhdanov
@online{zhdanov:20230321:blackcat:2da310d, author = {Andrey Zhdanov}, title = {{BlackCat v3 Decryptor Scripts}}, date = {2023-03-21}, organization = {Github (rivitna)}, url = {https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3}, language = {English}, urldate = {2023-03-22} } BlackCat v3 Decryptor Scripts
BlackCat BlackCat
2022-09-28vmwareGiovanni Vigna
@online{vigna:20220928:esxitargeting:bd1ce9a, author = {Giovanni Vigna}, title = {{ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)}}, date = {2022-09-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html}, language = {English}, urldate = {2022-10-10} } ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
Avoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna RansomEXX RedAlert Ransomware REvil
2022-09-22ComputerWeeklyAlex Scroxton
@online{scroxton:20220922:alphvblackcat:2f581b9, author = {Alex Scroxton}, title = {{ALPHV/BlackCat ransomware family becoming more dangerous}}, date = {2022-09-22}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous}, language = {English}, urldate = {2023-01-05} } ALPHV/BlackCat ransomware family becoming more dangerous
BlackCat BlackCat FIN7
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-11SecurityScorecardRobert Ames
@online{ames:20220811:increase:5cbc907, author = {Robert Ames}, title = {{The Increase in Ransomware Attacks on Local Governments}}, date = {2022-08-11}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments}, language = {English}, urldate = {2022-08-28} } The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-07-14SophosAndrew Brandt, Sergio Bestulic, Harinder Bhathal, Andy French, Bill Kearney, Lee Kirkpatrick, Elida Leite, Peter Mackenzie, Robert Weiland
@online{brandt:20220714:blackcat:745470a, author = {Andrew Brandt and Sergio Bestulic and Harinder Bhathal and Andy French and Bill Kearney and Lee Kirkpatrick and Elida Leite and Peter Mackenzie and Robert Weiland}, title = {{BlackCat ransomware attacks not merely a byproduct of bad luck}}, date = {2022-07-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/}, language = {English}, urldate = {2022-07-25} } BlackCat ransomware attacks not merely a byproduct of bad luck
BlackCat BlackCat
2022-06-29Group-IBAndrey Zhdanov, Oleg Skulkin
@online{zhdanov:20220629:fat:7056ba6, author = {Andrey Zhdanov and Oleg Skulkin}, title = {{Fat Cats - An analysis of the BlackCat ransomware affiliate program}}, date = {2022-06-29}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackcat}, language = {English}, urldate = {2022-08-17} } Fat Cats - An analysis of the BlackCat ransomware affiliate program
BlackCat BlackCat
2022-06-07AdvIntelVitali Kremez, Marley Smith, Yelisey Boguslavskiy
@online{kremez:20220607:blackcat:3dc977e, author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy}, title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}}, date = {2022-06-07}, organization = {AdvIntel}, url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive}, language = {English}, urldate = {2022-06-08} } BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike
2022-06Jorge TestaJorge Testa
@online{testa:202206:killing:007ffce, author = {Jorge Testa}, title = {{Killing The Bear - Alphv}}, date = {2022-06}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/alphv}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Alphv
BlackCat BlackCat
2022-05-11KasperskyGReAT
@online{great:20220511:new:a56bc90, author = {GReAT}, title = {{New ransomware trends in 2022}}, date = {2022-05-11}, organization = {Kaspersky}, url = {https://securelist.com/new-ransomware-trends-in-2022/106457/}, language = {English}, urldate = {2022-05-17} } New ransomware trends in 2022
BlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-21ForescoutVedere Labs
@online{labs:20220421:analysis:3074750, author = {Vedere Labs}, title = {{Analysis of an ALPHV incident}}, date = {2022-04-21}, organization = {Forescout}, url = {https://www.forescout.com/resources/analysis-of-an-alphv-incident}, language = {English}, urldate = {2022-04-24} } Analysis of an ALPHV incident
BlackCat
2022-04-08The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220408:researchers:245d67d, author = {Ravie Lakshmanan}, title = {{Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-12} } Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter
2022-04-07KasperskyGReAT
@online{great:20220407:bad:162aae7, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, organization = {Kaspersky}, url = {https://securelist.com/a-bad-luck-blackcat/106254/}, language = {English}, urldate = {2022-04-12} } A Bad Luck BlackCat
BlackCat BlackCat
2022-03-27Bleeping ComputerLawrence Abrams
@online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive
2022-03-22The RegisterJeff Burt
@online{burt:20220322:this:2834162, author = {Jeff Burt}, title = {{This is a BlackCat you don't want crossing your path}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/}, language = {English}, urldate = {2022-03-23} } This is a BlackCat you don't want crossing your path
BlackCat BlackMatter
2022-03-17CiscoTiago Pereira, Caitlin Huey
@online{pereira:20220317:from:592c847, author = {Tiago Pereira and Caitlin Huey}, title = {{From BlackMatter to BlackCat: Analyzing two attacks from one affiliate}}, date = {2022-03-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html}, language = {English}, urldate = {2022-03-18} } From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter
2022-02-23EmsisoftSenan Conrad
@online{conrad:20220223:ransomware:9d2ec37, author = {Senan Conrad}, title = {{Ransomware Profile: ALPHV}}, date = {2022-02-23}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/}, language = {English}, urldate = {2022-03-01} } Ransomware Profile: ALPHV
BlackCat
2022-02-08TrellixArnab Roy
@online{roy:20220208:blackcat:d336ae8, author = {Arnab Roy}, title = {{BlackCat Ransomware as a Service - The Cat is certainly out of the bag!}}, date = {2022-02-08}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html}, language = {English}, urldate = {2022-02-09} } BlackCat Ransomware as a Service - The Cat is certainly out of the bag!
BlackCat BlackCat
2022-02-02ZDNetJonathan Greig
@online{greig:20220202:blackcat:dba8722, author = {Jonathan Greig}, title = {{BlackCat ransomware implicated in attack on German oil companies}}, date = {2022-02-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/}, language = {English}, urldate = {2022-02-07} } BlackCat ransomware implicated in attack on German oil companies
BlackCat BlackCat
2022-01-28KrebsOnSecurityBrian Krebs
@online{krebs:20220128:who:bc8131a, author = {Brian Krebs}, title = {{Who Wrote the ALPHV/BlackCat Ransomware Strain?}}, date = {2022-01-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/}, language = {English}, urldate = {2022-02-07} } Who Wrote the ALPHV/BlackCat Ransomware Strain?
BlackCat BlackCat
2022-01-26IntrinsecIntrinsec
@online{intrinsec:20220126:alphv:5f751bd, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis/}, language = {English}, urldate = {2022-11-07} } ALPHV ransomware gang analysis
BlackCat BlackCat
2021-12-21Twitter (@sisoma2)sisoma2
@online{sisoma2:20211221:blackcat:683fa5a, author = {sisoma2}, title = {{BlackCat Ransomware Linux variant}}, date = {2021-12-21}, organization = {Twitter (@sisoma2)}, url = {https://twitter.com/sisoma2/status/1473243875158499330}, language = {English}, urldate = {2022-02-02} } BlackCat Ransomware Linux variant
BlackCat
Yara Rules
[TLP:WHITE] elf_blackcat_auto (20230715 | Detects elf.blackcat.)
rule elf_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects elf.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f0b 0f0b 90 90 90 }
            // n = 5, score = 200
            //   0f0b                 | mov                 byte ptr [esp + 0xd], al
            //   0f0b                 | mov                 eax, ebp
            //   90                   | shr                 eax, 6
            //   90                   | and                 al, 0x3f
            //   90                   | or                  al, 0x80

        $sequence_1 = { 83e13f 09f1 09d1 81f9???????? }
            // n = 4, score = 200
            //   83e13f               | je                  0x4be
            //   09f1                 | and                 eax, 0xfffffff0
            //   09d1                 | add                 ecx, eax
            //   81f9????????         |                     

        $sequence_2 = { f20f5cc3 f20f59c1 f20f58c3 f20f5dc2 }
            // n = 4, score = 200
            //   f20f5cc3             | movsd               qword ptr [esp + 0x60], xmm4
            //   f20f59c1             | addsd               xmm2, xmm4
            //   f20f58c3             | movd                xmm4, eax
            //   f20f5dc2             | lea                 eax, [edi + 0x10]

        $sequence_3 = { 89c1 c1e902 69d1???????? c1ea11 6bca64 }
            // n = 5, score = 200
            //   89c1                 | mov                 ebx, edx
            //   c1e902               | imul                ebp, eax
            //   69d1????????         |                     
            //   c1ea11               | mul                 edi
            //   6bca64               | add                 edx, ebp

        $sequence_4 = { 660f70c900 660f6fd1 660f74d0 660fd7ea 660f6fd0 }
            // n = 5, score = 200
            //   660f70c900           | or                  edi, esi
            //   660f6fd1             | test                eax, 0xc000000
            //   660f74d0             | movd                esi, xmm1
            //   660fd7ea             | jne                 0x434
            //   660f6fd0             | pshufd              xmm1, xmm0, 0x55

        $sequence_5 = { 660f2ec1 0fb6db 0f43dd 80fbff }
            // n = 4, score = 200
            //   660f2ec1             | test                dh, dh
            //   0fb6db               | jne                 0x126
            //   0f43dd               | jae                 0x145
            //   80fbff               | inc                 eax

        $sequence_6 = { d1e9 01d1 c1e902 8d14cd00000000 29ca }
            // n = 5, score = 200
            //   d1e9                 | mov                 edx, dword ptr [ebx + 0x26c]
            //   01d1                 | lea                 ecx, [ebx - 0x3348]
            //   c1e902               | lea                 edi, [ebx - 0x38884]
            //   8d14cd00000000       | mov                 dword ptr [esp + 0x1fc], 0
            //   29ca                 | mov                 dword ptr [esp + 0x200], edx

        $sequence_7 = { 09f2 c1e206 83e03f 09d0 3d???????? }
            // n = 5, score = 200
            //   09f2                 | je                  0x75
            //   c1e206               | dec                 eax
            //   83e03f               | add                 edx, 4
            //   09d0                 | or                  edi, ebp
            //   3d????????           |                     

        $sequence_8 = { 5b c3 e8???????? 89c2 }
            // n = 4, score = 200
            //   5b                   | mov                 esi, ecx
            //   c3                   | xchg                byte ptr [ecx + 0x54], al
            //   e8????????           |                     
            //   89c2                 | pop                 ebx

        $sequence_9 = { e9???????? b8???????? eb59 b8???????? eb52 b8???????? eb4b }
            // n = 7, score = 200
            //   e9????????           |                     
            //   b8????????           |                     
            //   eb59                 | mov                 byte ptr [esp + 0x1c], 1
            //   b8????????           |                     
            //   eb52                 | mov                 dword ptr [esp + 0xf4], 0
            //   b8????????           |                     
            //   eb4b                 | lea                 ecx, [ebx - 0x3a3a7]

    condition:
        7 of them and filesize < 8011776
}
Download all Yara Rules