SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackcat (Back to overview)

BlackCat

aka: ALPHV, Noberus

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

References
2023-05-22Trend MicroMahmoud Zohdy, Sherif Magdy, Mohamed Fahmy, Bahaa Yamany
@online{zohdy:20230522:blackcat:d839f8e, author = {Mahmoud Zohdy and Sherif Magdy and Mohamed Fahmy and Bahaa Yamany}, title = {{BlackCat Ransomware Deploys New Signed Kernel Driver}}, date = {2023-05-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html}, language = {English}, urldate = {2023-05-23} } BlackCat Ransomware Deploys New Signed Kernel Driver
BlackCat
2023-04-19Bleeping ComputerBill Toulas
@online{toulas:20230419:march:2c99c12, author = {Bill Toulas}, title = {{March 2023 broke ransomware attack records with 459 incidents}}, date = {2023-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/}, language = {English}, urldate = {2023-04-28} } March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-03MandiantJASON DEYALSINGH, NICK SMITH, Eduardo Mattos, Tyler McLellan, Nick Richard
@online{deyalsingh:20230403:alphv:04f0dfa, author = {JASON DEYALSINGH and NICK SMITH and Eduardo Mattos and Tyler McLellan and Nick Richard}, title = {{ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access}}, date = {2023-04-03}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/alphv-ransomware-backup}, language = {English}, urldate = {2023-04-22} } ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
LaZagne BlackCat MimiKatz
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-21Github (rivitna)Andrey Zhdanov
@online{zhdanov:20230321:blackcat:2da310d, author = {Andrey Zhdanov}, title = {{BlackCat v3 Decryptor Scripts}}, date = {2023-03-21}, organization = {Github (rivitna)}, url = {https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3}, language = {English}, urldate = {2023-03-22} } BlackCat v3 Decryptor Scripts
BlackCat BlackCat
2022-11-09NetskopeGustavo Palazolo
@online{palazolo:20221109:blackcat:8205dee, author = {Gustavo Palazolo}, title = {{BlackCat Ransomware: Tactics and Techniques From a Targeted Attack}}, date = {2022-11-09}, organization = {Netskope}, url = {https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack}, language = {English}, urldate = {2022-11-18} } BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
BlackCat ExMatter
2022-10-25MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221025:dev0832:5d16a04, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector}}, date = {2022-10-25}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/}, language = {English}, urldate = {2023-02-03} } DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
BlackCat Mount Locker Zeppelin
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20221010:dev0832:07768a3, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns}}, date = {2022-10-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/47766fbd}, language = {English}, urldate = {2022-10-19} } DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-22BroadcomSymantec Threat Hunter Team
@online{team:20220922:noberus:fc868b9, author = {Symantec Threat Hunter Team}, title = {{Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics}}, date = {2022-09-22}, organization = {Broadcom}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps}, language = {English}, urldate = {2022-09-26} } Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide
2022-09-22ComputerWeeklyAlex Scroxton
@online{scroxton:20220922:alphvblackcat:2f581b9, author = {Alex Scroxton}, title = {{ALPHV/BlackCat ransomware family becoming more dangerous}}, date = {2022-09-22}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous}, language = {English}, urldate = {2023-01-05} } ALPHV/BlackCat ransomware family becoming more dangerous
BlackCat BlackCat FIN7
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06SecurityScorecardVlad Pasca
@online{pasca:20220906:ttps:e1c70ed, author = {Vlad Pasca}, title = {{TTPs Associated With a New Version of the BlackCat Ransomware}}, date = {2022-09-06}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware}, language = {English}, urldate = {2022-09-10} } TTPs Associated With a New Version of the BlackCat Ransomware
BlackCat
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-11SecurityScorecardRobert Ames
@online{ames:20220811:increase:5cbc907, author = {Robert Ames}, title = {{The Increase in Ransomware Attacks on Local Governments}}, date = {2022-08-11}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments}, language = {English}, urldate = {2022-08-28} } The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-07-18SecurityScorecardVlad Pasca
@online{pasca:20220718:deep:86577a8, author = {Vlad Pasca}, title = {{A Deep Dive Into ALPHV/BlackCat Ransomware}}, date = {2022-07-18}, organization = {SecurityScorecard}, url = {https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware}, language = {English}, urldate = {2022-07-19} } A Deep Dive Into ALPHV/BlackCat Ransomware
BlackCat
2022-07-14SophosAndrew Brandt, Sergio Bestulic, Harinder Bhathal, Andy French, Bill Kearney, Lee Kirkpatrick, Elida Leite, Peter Mackenzie, Robert Weiland
@online{brandt:20220714:blackcat:745470a, author = {Andrew Brandt and Sergio Bestulic and Harinder Bhathal and Andy French and Bill Kearney and Lee Kirkpatrick and Elida Leite and Peter Mackenzie and Robert Weiland}, title = {{BlackCat ransomware attacks not merely a byproduct of bad luck}}, date = {2022-07-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/}, language = {English}, urldate = {2022-07-25} } BlackCat ransomware attacks not merely a byproduct of bad luck
BlackCat BlackCat
2022-06-29Group-IBAndrey Zhdanov, Oleg Skulkin
@online{zhdanov:20220629:fat:7056ba6, author = {Andrey Zhdanov and Oleg Skulkin}, title = {{Fat Cats - An analysis of the BlackCat ransomware affiliate program}}, date = {2022-06-29}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackcat}, language = {English}, urldate = {2022-08-17} } Fat Cats - An analysis of the BlackCat ransomware affiliate program
BlackCat BlackCat
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20220613:many:7681eda, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{The many lives of BlackCat ransomware}}, date = {2022-06-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/}, language = {English}, urldate = {2022-06-15} } The many lives of BlackCat ransomware
BlackCat
2022-06-07AdvIntelVitali Kremez, Marley Smith, Yelisey Boguslavskiy
@online{kremez:20220607:blackcat:3dc977e, author = {Vitali Kremez and Marley Smith and Yelisey Boguslavskiy}, title = {{BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive}}, date = {2022-06-07}, organization = {AdvIntel}, url = {https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive}, language = {English}, urldate = {2022-06-08} } BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike
2022-06Jorge TestaJorge Testa
@online{testa:202206:killing:007ffce, author = {Jorge Testa}, title = {{Killing The Bear - Alphv}}, date = {2022-06}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/alphv}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Alphv
BlackCat BlackCat
2022-05-23Trend MicroMatsugaya Shingo
@online{shingo:20220523:lockbit:8d0fff2, author = {Matsugaya Shingo}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022}}, date = {2022-05-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022}, language = {English}, urldate = {2022-05-24} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-23Trend MicroTrend Micro Research
@techreport{research:20220523:lockbit:6eb72ce, author = {Trend Micro Research}, title = {{LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)}}, date = {2022-05-23}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf}, language = {English}, urldate = {2022-05-29} } LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-29The RecordJonathan Greig
@online{greig:20220429:german:d7fd313, author = {Jonathan Greig}, title = {{German wind farm operator confirms cybersecurity incident}}, date = {2022-04-29}, organization = {The Record}, url = {https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/}, language = {English}, urldate = {2022-05-03} } German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-19FBIFBI
@techreport{fbi:20220419:fbi:05194a3, author = {FBI}, title = {{FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise}}, date = {2022-04-19}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220420.pdf}, language = {English}, urldate = {2022-05-04} } FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise
BlackCat
2022-04-18Trend MicroLucas Silva, Leandro Froes
@online{silva:20220418:investigation:a2d3046, author = {Lucas Silva and Leandro Froes}, title = {{An Investigation of the BlackCat Ransomware via Trend Micro Vision One}}, date = {2022-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-20} } An Investigation of the BlackCat Ransomware via Trend Micro Vision One
BlackCat
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-08The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220408:researchers:245d67d, author = {Ravie Lakshmanan}, title = {{Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-12} } Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter
2022-04-07KasperskyGReAT
@online{great:20220407:bad:162aae7, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, organization = {Kaspersky}, url = {https://securelist.com/a-bad-luck-blackcat/106254/}, language = {English}, urldate = {2022-04-12} } A Bad Luck BlackCat
BlackCat BlackCat
2022-04-07KasperskyGReAT
@techreport{great:20220407:bad:ebb997d, author = {GReAT}, title = {{A Bad Luck BlackCat}}, date = {2022-04-07}, institution = {Kaspersky}, url = {https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf}, language = {English}, urldate = {2022-04-25} } A Bad Luck BlackCat
BlackCat
2022-03-23CrowdStrikeFalcon OverWatch Team
@online{team:20220323:falcon:eb9c44f, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack}}, date = {2022-03-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/}, language = {English}, urldate = {2022-03-25} } Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack
BlackCat
2022-03-17CiscoTiago Pereira, Caitlin Huey
@online{pereira:20220317:from:592c847, author = {Tiago Pereira and Caitlin Huey}, title = {{From BlackMatter to BlackCat: Analyzing two attacks from one affiliate}}, date = {2022-03-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html}, language = {English}, urldate = {2022-03-18} } From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-01CybereasonTom Fakterman, Ohav Peri
@online{fakterman:20220301:cybereason:b40f6c6, author = {Tom Fakterman and Ohav Peri}, title = {{Cybereason vs. BlackCat Ransomware}}, date = {2022-03-01}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware}, language = {English}, urldate = {2022-03-07} } Cybereason vs. BlackCat Ransomware
BlackCat
2022-02-08TrellixArnab Roy
@online{roy:20220208:blackcat:d336ae8, author = {Arnab Roy}, title = {{BlackCat Ransomware as a Service - The Cat is certainly out of the bag!}}, date = {2022-02-08}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html}, language = {English}, urldate = {2022-02-09} } BlackCat Ransomware as a Service - The Cat is certainly out of the bag!
BlackCat BlackCat
2022-02-02ZDNetJonathan Greig
@online{greig:20220202:blackcat:dba8722, author = {Jonathan Greig}, title = {{BlackCat ransomware implicated in attack on German oil companies}}, date = {2022-02-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/}, language = {English}, urldate = {2022-02-07} } BlackCat ransomware implicated in attack on German oil companies
BlackCat BlackCat
2022-01-28KrebsOnSecurityBrian Krebs
@online{krebs:20220128:who:bc8131a, author = {Brian Krebs}, title = {{Who Wrote the ALPHV/BlackCat Ransomware Strain?}}, date = {2022-01-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/}, language = {English}, urldate = {2022-02-07} } Who Wrote the ALPHV/BlackCat Ransomware Strain?
BlackCat BlackCat
2022-01-27Palo Alto Networks Unit 42Amanda Tanner, Alex Hinchliffe, Doel Santos
@online{tanner:20220127:threat:15f076d, author = {Amanda Tanner and Alex Hinchliffe and Doel Santos}, title = {{Threat Assessment: BlackCat Ransomware}}, date = {2022-01-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/blackcat-ransomware/}, language = {English}, urldate = {2022-02-01} } Threat Assessment: BlackCat Ransomware
BlackCat
2022-01-26IntrinsecIntrinsec
@online{intrinsec:20220126:alphv:9f00db5, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis}, language = {English}, urldate = {2022-02-01} } ALPHV ransomware gang analysis
BlackCat LockBit
2022-01-26VaronisJason Hill
@online{hill:20220126:alphv:dd754b8, author = {Jason Hill}, title = {{ALPHV (BlackCat) Ransomware}}, date = {2022-01-26}, organization = {Varonis}, url = {https://www.varonis.com/blog/alphv-blackcat-ransomware}, language = {English}, urldate = {2022-01-31} } ALPHV (BlackCat) Ransomware
BlackCat
2022-01-26IntrinsecIntrinsec
@online{intrinsec:20220126:alphv:5f751bd, author = {Intrinsec}, title = {{ALPHV ransomware gang analysis}}, date = {2022-01-26}, organization = {Intrinsec}, url = {https://www.intrinsec.com/alphv-ransomware-gang-analysis/}, language = {English}, urldate = {2022-11-07} } ALPHV ransomware gang analysis
BlackCat BlackCat
2022-01-18SentinelOneJim Walter
@online{walter:20220118:blackcat:39c437d, author = {Jim Walter}, title = {{BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims}}, date = {2022-01-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/}, language = {English}, urldate = {2022-01-19} } BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
BlackCat
2021-12-16SymantecThreat Hunter Team
@online{team:20211216:noberus:da3ac9d, author = {Threat Hunter Team}, title = {{Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware}}, date = {2021-12-16}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware}, language = {English}, urldate = {2022-02-07} } Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
BlackCat
2021-12-10Medium s2wlabS2W TALON
@online{talon:20211210:blackcat:2ec3ecf, author = {S2W TALON}, title = {{BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration}}, date = {2021-12-10}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809}, language = {English}, urldate = {2022-01-06} } BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration
BlackCat BlackMatter
2021-12-10Dissecting MalwareMarius Genheimer
@online{genheimer:20211210:blackcatconf:1720a59, author = {Marius Genheimer}, title = {{BlackCatConf - Static Configuration Extractor for BlackCat Ransomware}}, date = {2021-12-10}, organization = {Dissecting Malware}, url = {https://github.com/f0wl/blackCatConf}, language = {English}, urldate = {2022-01-10} } BlackCatConf - Static Configuration Extractor for BlackCat Ransomware
BlackCat
2021-12-01ID RansomwareAndrew Ivanov
@online{ivanov:20211201:blackcat:e87a771, author = {Andrew Ivanov}, title = {{BlackCat Ransomware}}, date = {2021-12-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html}, language = {Russian}, urldate = {2022-01-03} } BlackCat Ransomware
BlackCat
Yara Rules
[TLP:WHITE] win_blackcat_auto (20230407 | Detects win.blackcat.)
rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 29981696
}
Download all Yara Rules