SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackcat (Back to overview)

BlackCat

aka: ALPHV, Noberus

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

References
2022-05-23Trend MicroMatsugaya Shingo
@online{shingo:20220523:lockbit:8d0fff2, author = {Matsugaya Shingo}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022}}, date = {2022-05-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022}, language = {English}, urldate = {2022-05-24} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-04-29The RecordJonathan Greig
@online{greig:20220429:german:d7fd313, author = {Jonathan Greig}, title = {{German wind farm operator confirms cybersecurity incident}}, date = {2022-04-29}, organization = {The Record}, url = {https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/}, language = {English}, urldate = {2022-05-03} } German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-19FBIFBI
@techreport{fbi:20220419:fbi:05194a3, author = {FBI}, title = {{FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise}}, date = {2022-04-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220420.pdf}, language = {English}, urldate = {2022-05-04} } FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise
BlackCat
2022-04-18Trend MicroLucas Silva, Leandro Froes
@online{silva:20220418:investigation:a2d3046, author = {Lucas Silva and Leandro Froes}, title = {{An Investigation of the BlackCat Ransomware via Trend Micro Vision One}}, date = {2022-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-20} } An Investigation of the BlackCat Ransomware via Trend Micro Vision One
BlackCat
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-08The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220408:researchers:245d67d, author = {Ravie Lakshmanan}, title = {{Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-12} } Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter
2022-04-07KasperskyGReAT
@techreport{great:20220407:bad:ebb997d, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, institution = {Kaspersky}, url = {https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf}, language = {English}, urldate = {2022-04-25} } A Bad Luck BlackCat
BlackCat
2022-04-07KasperskyGReAT
@online{great:20220407:bad:162aae7, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, organization = {Kaspersky}, url = {https://securelist.com/a-bad-luck-blackcat/106254/}, language = {English}, urldate = {2022-04-12} } A Bad Luck BlackCat
BlackCat BlackCat
2022-03-23CrowdStrikeFalcon OverWatch Team
@online{team:20220323:falcon:eb9c44f, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack}}, date = {2022-03-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/}, language = {English}, urldate = {2022-03-25} } Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack
BlackCat
2022-03-17CiscoTiago Pereira, Caitlin Huey
@online{pereira:20220317:from:592c847, author = {Tiago Pereira and Caitlin Huey}, title = {{From BlackMatter to BlackCat: Analyzing two attacks from one affiliate}}, date = {2022-03-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html}, language = {English}, urldate = {2022-03-18} } From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-01CybereasonTom Fakterman, Ohav Peri
@online{fakterman:20220301:cybereason:b40f6c6, author = {Tom Fakterman and Ohav Peri}, title = {{Cybereason vs. BlackCat Ransomware}}, date = {2022-03-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware}, language = {English}, urldate = {2022-03-07} } Cybereason vs. BlackCat Ransomware
BlackCat
2022-02-08TrellixArnab Roy
@online{roy:20220208:blackcat:d336ae8, author = {Arnab Roy}, title = {{BlackCat Ransomware as a Service - The Cat is certainly out of the bag!}}, date = {2022-02-08}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html}, language = {English}, urldate = {2022-02-09} } BlackCat Ransomware as a Service - The Cat is certainly out of the bag!
BlackCat BlackCat
2022-02-02ZDNetJonathan Greig
@online{greig:20220202:blackcat:dba8722, author = {Jonathan Greig}, title = {{BlackCat ransomware implicated in attack on German oil companies}}, date = {2022-02-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/}, language = {English}, urldate = {2022-02-07} } BlackCat ransomware implicated in attack on German oil companies
BlackCat BlackCat
2022-01-28KrebsOnSecurityBrian Krebs
@online{krebs:20220128:who:bc8131a, author = {Brian Krebs}, title = {{Who Wrote the ALPHV/BlackCat Ransomware Strain?}}, date = {2022-01-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/}, language = {English}, urldate = {2022-02-07} } Who Wrote the ALPHV/BlackCat Ransomware Strain?
BlackCat BlackCat
2022-01-27Palo Alto Networks Unit 42Amanda Tanner, Alex Hinchliffe, Doel Santos
@online{tanner:20220127:threat:15f076d, author = {Amanda Tanner and Alex Hinchliffe and Doel Santos}, title = {{Threat Assessment: BlackCat Ransomware}}, date = {2022-01-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/blackcat-ransomware/}, language = {English}, urldate = {2022-02-01} } Threat Assessment: BlackCat Ransomware
BlackCat
2022-01-26VaronisJason Hill
@online{hill:20220126:alphv:dd754b8, author = {Jason Hill}, title = {{ALPHV (BlackCat) Ransomware}}, date = {2022-01-26}, organization = {Varonis}, url = {https://www.varonis.com/blog/alphv-blackcat-ransomware}, language = {English}, urldate = {2022-01-31} } ALPHV (BlackCat) Ransomware
BlackCat
2022-01-26IntrinsecIntrinsec
@online{intrinsec:20220126:alphv:9f00db5, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis}, language = {English}, urldate = {2022-02-01} } ALPHV ransomware gang analysis
BlackCat LockBit
2022-01-18SentinelOneJim Walter
@online{walter:20220118:blackcat:39c437d, author = {Jim Walter}, title = {{BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims}}, date = {2022-01-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/}, language = {English}, urldate = {2022-01-19} } BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
BlackCat
2021-12-16SymantecThreat Hunter Team
@online{team:20211216:noberus:da3ac9d, author = {Threat Hunter Team}, title = {{Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware}}, date = {2021-12-16}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware}, language = {English}, urldate = {2022-02-07} } Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
BlackCat
2021-12-10Medium s2wlabS2W TALON
@online{talon:20211210:blackcat:2ec3ecf, author = {S2W TALON}, title = {{BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration}}, date = {2021-12-10}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809}, language = {English}, urldate = {2022-01-06} } BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration
BlackCat BlackMatter
2021-12-10Dissecting MalwareMarius Genheimer
@online{genheimer:20211210:blackcatconf:1720a59, author = {Marius Genheimer}, title = {{BlackCatConf - Static Configuration Extractor for BlackCat Ransomware}}, date = {2021-12-10}, organization = {Dissecting Malware}, url = {https://github.com/f0wl/blackCatConf}, language = {English}, urldate = {2022-01-10} } BlackCatConf - Static Configuration Extractor for BlackCat Ransomware
BlackCat
2021-12-01ID RansomwareAndrew Ivanov
@online{ivanov:20211201:blackcat:e87a771, author = {Andrew Ivanov}, title = {{BlackCat Ransomware}}, date = {2021-12-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html}, language = {Russian}, urldate = {2022-01-03} } BlackCat Ransomware
BlackCat
Yara Rules
[TLP:WHITE] win_blackcat_auto (20220411 | Detects win.blackcat.)
rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? bb02000000 eb0c bb03000000 eb05 bb04000000 01d1 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   bb02000000           | mov                 ebx, 2
            //   eb0c                 | jmp                 0xe
            //   bb03000000           | mov                 ebx, 3
            //   eb05                 | jmp                 7
            //   bb04000000           | mov                 ebx, 4
            //   01d1                 | add                 ecx, edx

        $sequence_1 = { e8???????? 83c404 8b742404 3c04 0f85f4040000 83fe15 720a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b742404             | mov                 esi, dword ptr [esp + 4]
            //   3c04                 | cmp                 al, 4
            //   0f85f4040000         | jne                 0x4fa
            //   83fe15               | cmp                 esi, 0x15
            //   720a                 | jb                  0xc

        $sequence_2 = { ff742410 50 e8???????? 83c40c 83ff02 89df 895c2440 }
            // n = 7, score = 100
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   83ff02               | cmp                 edi, 2
            //   89df                 | mov                 edi, ebx
            //   895c2440             | mov                 dword ptr [esp + 0x40], ebx

        $sequence_3 = { ebe1 8b442408 897c2458 8944245c 8b442404 e9???????? 68???????? }
            // n = 7, score = 100
            //   ebe1                 | jmp                 0xffffffe3
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   897c2458             | mov                 dword ptr [esp + 0x58], edi
            //   8944245c             | mov                 dword ptr [esp + 0x5c], eax
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   e9????????           |                     
            //   68????????           |                     

        $sequence_4 = { e8???????? 83c40c 89d8 89f1 89da 8975ec 29f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   89d8                 | mov                 eax, ebx
            //   89f1                 | mov                 ecx, esi
            //   89da                 | mov                 edx, ebx
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   29f0                 | sub                 eax, esi

        $sequence_5 = { e8???????? 83c404 8b4c2438 0fb6d3 57 e9???????? 7666 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]
            //   0fb6d3               | movzx               edx, bl
            //   57                   | push                edi
            //   e9????????           |                     
            //   7666                 | jbe                 0x68

        $sequence_6 = { e8???????? 83c408 3c03 753c 8b4204 89d7 ff32 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   3c03                 | cmp                 al, 3
            //   753c                 | jne                 0x3e
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   89d7                 | mov                 edi, edx
            //   ff32                 | push                dword ptr [edx]

        $sequence_7 = { 8b5dec 8945a0 8d4431ff 8b4df0 8945a4 8b4510 894dbc }
            // n = 7, score = 100
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   8d4431ff             | lea                 eax, dword ptr [ecx + esi - 1]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8945a4               | mov                 dword ptr [ebp - 0x5c], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx

        $sequence_8 = { e8???????? 83c404 eb32 a1???????? 894590 c7459400000000 c7459800000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   eb32                 | jmp                 0x34
            //   a1????????           |                     
            //   894590               | mov                 dword ptr [ebp - 0x70], eax
            //   c7459400000000       | mov                 dword ptr [ebp - 0x6c], 0
            //   c7459800000000       | mov                 dword ptr [ebp - 0x68], 0

        $sequence_9 = { 8b4c2428 8b542424 8908 8b4c240c 894804 8b4c2408 894808 }
            // n = 7, score = 100
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   894808               | mov                 dword ptr [eax + 8], ecx

    condition:
        7 of them and filesize < 4604928
}
Download all Yara Rules