SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackcat (Back to overview)

BlackCat

aka: ALPHV, Noberus

Actor(s): Alpha Spider, RansomHub, Vanilla Tempest

VTCollection    

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

References
2025-12-30US Department of JusticeOffice of Public Affairs
Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware
BlackCat BlackCat
2025-11-03Breached CompanyBreached Company
When the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations
BlackCat BlackCat
2025-07-31IntrinsecCTI Intrinsec
Shadow syndicate infrastructure illumination
AMOS BlackCat Cactus Cicada3301 Clop LockBit PLAY RansomHub Royal Ransom Silence
2025-05-06MandiantMandiant
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
BlackCat DragonForce RansomHub
2025-05-06MandiantMandiant
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
BlackCat DragonForce RansomHub
2024-10-30EclecticIQEclecticIQ Threat Research Team
Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus
BlackCat Brute Ratel C4 Latrodectus
2024-09-30The DFIR ReportThe DFIR Report
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
BlackCat Nitrogen Loader Sliver
2024-06-05S-RMDavid Broom, Gavin Hull
Exmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting
BlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk
2024-04-24SentinelOneJim Walter
Ransomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit
BlackCat RansomHub RansomHub
2024-02-29CrowdStrikeJean-Philippe Teissier
The Anatomy of an ALPHA SPIDER Ransomware Attack
BlackCat Alpha Spider
2024-02-22SekoiaLivia Tibirna, Pierre-Antoine D., Quentin Bourgue, Threat & Detection Research Team
Scattered Spider laying new eggs
BlackCat
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2023-12-03Twitter (@vxunderground)VX-Underground
Tweet about ALPHV group compromising Tipalti to pressure its clients.
BlackCat BlackCat
2023-11-16The RegisterConnor Jones
BlackCat plays with malvertising traps to lure corporate victims
BlackCat
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-10-30eSentireeSentire
Nitrogen Campaign 2.0: Reloads with Enhanced Capabilities Leading to ALPHV/BlackCat Ransomware
BlackCat Nitrogen Loader
2023-10-25MicrosoftMicrosoft Incident Response, Microsoft Threat Intelligence
Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction
BlackCat BlackCat Lumma Stealer
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-08-17TrellixPhelix Oluoch
Scattered Spider: The Modus Operandi
BlackCat POORTRY
2023-07-18SymantecThreat Hunter Team
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
BlackCat Unidentified 103 (FIN8)
2023-07-13MSSP Labcocomelonc
Malware analysis report: BlackCat ransomware
BlackCat BlackCat
2023-06-10The DFIR ReportThe DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
BlackCat Cobalt Strike IcedID
2023-06-01Infinitum ITKerime Gencay
BlackCat Ransomware Analysis Report (Paywall)
BlackCat
2023-05-30IBM SecurityIBM Security X-Force Team
BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration
BlackCat BlackCat
2023-05-22Trend MicroBahaa Yamany, Mahmoud Zohdy, Mohamed Fahmy, Sherif Magdy
BlackCat Ransomware Deploys New Signed Kernel Driver
BlackCat
2023-04-19Bleeping ComputerBill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit Medusa PLAY Royal Ransom
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-03MandiantEduardo Mattos, JASON DEYALSINGH, Nick Richard, NICK SMITH, Tyler McLellan
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
LaZagne BlackCat MimiKatz
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-21Github (rivitna)Andrey Zhdanov
BlackCat v3 Decryptor Scripts
BlackCat BlackCat
2022-11-09NetskopeGustavo Palazolo
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
BlackCat ExMatter
2022-10-25MicrosoftMicrosoft Security Threat Intelligence
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
BlackCat Mount Locker PortStarter Zeppelin Vanilla Tempest
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-22ComputerWeeklyAlex Scroxton
ALPHV/BlackCat ransomware family becoming more dangerous
BlackCat BlackCat FIN7
2022-09-22BroadcomSymantec Threat Hunter Team
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06SecurityScorecardVlad Pasca
TTPs Associated With a New Version of the BlackCat Ransomware
BlackCat
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-11SecurityScorecardRobert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit
2022-07-18SecurityScorecardVlad Pasca
A Deep Dive Into ALPHV/BlackCat Ransomware
BlackCat
2022-07-14SophosAndrew Brandt, Andy French, Bill Kearney, Elida Leite, Harinder Bhathal, Lee Kirkpatrick, Peter Mackenzie, Robert Weiland, Sergio Bestulic
BlackCat ransomware attacks not merely a byproduct of bad luck
BlackCat BlackCat
2022-06-29Group-IBAndrey Zhdanov, Oleg Skulkin
Fat Cats - An analysis of the BlackCat ransomware affiliate program
BlackCat BlackCat
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-13MicrosoftMicrosoft Threat Intelligence
The many lives of BlackCat ransomware
BlackCat Velvet Tempest
2022-06-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
The many lives of BlackCat ransomware
BlackCat
2022-06-07AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike
2022-06-01Jorge TestaJorge Testa
Killing The Bear - Alphv
BlackCat BlackCat
2022-05-23Trend MicroTrend Micro Research
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)
BlackCat Conti LockBit
2022-05-23Trend MicroMatsugaya Shingo
LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022
BlackCat Conti LockBit
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-29The RecordJonathan Greig
German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-19FBIFBI
FBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise
BlackCat
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-04-18Trend MicroLeandro Froes, Lucas Silva
An Investigation of the BlackCat Ransomware via Trend Micro Vision One
BlackCat
2022-04-08The Hacker NewsRavie Lakshmanan
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter
2022-04-07KasperskyGReAT
A Bad Luck BlackCat
BlackCat
2022-04-07KasperskyGReAT
A Bad Luck BlackCat
BlackCat BlackCat
2022-03-23CrowdStrikeFalcon OverWatch Team
Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack
BlackCat
2022-03-17CiscoCaitlin Huey, Tiago Pereira
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03-01CybereasonOhav Peri, Tom Fakterman
Cybereason vs. BlackCat Ransomware
BlackCat
2022-02-08TrellixArnab Roy
BlackCat Ransomware as a Service - The Cat is certainly out of the bag!
BlackCat BlackCat
2022-02-02ZDNetJonathan Greig
BlackCat ransomware implicated in attack on German oil companies
BlackCat BlackCat
2022-01-28KrebsOnSecurityBrian Krebs
Who Wrote the ALPHV/BlackCat Ransomware Strain?
BlackCat BlackCat
2022-01-27Palo Alto Networks Unit 42Alex Hinchliffe, Amanda Tanner, Doel Santos
Threat Assessment: BlackCat Ransomware
BlackCat
2022-01-26IntrinsecIntrinsec
ALPHV ransomware gang analysis
BlackCat BlackCat
2022-01-26IntrinsecIntrinsec
ALPHV ransomware gang analysis
BlackCat LockBit
2022-01-26VaronisJason Hill
ALPHV (BlackCat) Ransomware
BlackCat
2022-01-18SentinelOneJim Walter
BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
BlackCat
2021-12-16SymantecThreat Hunter Team
Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
BlackCat
2021-12-10Medium s2wlabS2W TALON
BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration
BlackCat BlackMatter
2021-12-10Dissecting MalwareMarius Genheimer
BlackCatConf - Static Configuration Extractor for BlackCat Ransomware
BlackCat
2021-12-01ID RansomwareAndrew Ivanov
BlackCat Ransomware
BlackCat
Yara Rules
[TLP:WHITE] win_blackcat_auto (20260504 | Detects win.blackcat.)
rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897204 83780400 7416 c6410835 b801000000 eb12 8d7804 }
            // n = 7, score = 500
            //   897204               | mov                 dword ptr [edx + 4], esi
            //   83780400             | cmp                 dword ptr [eax + 4], 0
            //   7416                 | je                  0x18
            //   c6410835             | mov                 byte ptr [ecx + 8], 0x35
            //   b801000000           | mov                 eax, 1
            //   eb12                 | jmp                 0x14
            //   8d7804               | lea                 edi, [eax + 4]

        $sequence_1 = { e9???????? 8d4de4 6a03 e8???????? 83c404 8b45e4 8b55ec }
            // n = 7, score = 500
            //   e9????????           |                     
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   6a03                 | push                3
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_2 = { 8b7508 8b7d0c c744245400000000 c744245000000000 c744245800000000 89542424 894c2420 }
            // n = 7, score = 500
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   c744245400000000     | mov                 dword ptr [esp + 0x54], 0
            //   c744245000000000     | mov                 dword ptr [esp + 0x50], 0
            //   c744245800000000     | mov                 dword ptr [esp + 0x58], 0
            //   89542424             | mov                 dword ptr [esp + 0x24], edx
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx

        $sequence_3 = { 8b461c 01f8 53 52 50 e8???????? 83c40c }
            // n = 7, score = 500
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   01f8                 | add                 eax, edi
            //   53                   | push                ebx
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_4 = { 8b7de0 3955ec 75ba 8b45f0 8b7ddc 8b4de8 8938 }
            // n = 7, score = 500
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   3955ec               | cmp                 dword ptr [ebp - 0x14], edx
            //   75ba                 | jne                 0xffffffbc
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8938                 | mov                 dword ptr [eax], edi

        $sequence_5 = { 8b4df0 0fb6d2 c7410c00000000 895108 897110 894114 b801000000 }
            // n = 7, score = 500
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   0fb6d2               | movzx               edx, dl
            //   c7410c00000000       | mov                 dword ptr [ecx + 0xc], 0
            //   895108               | mov                 dword ptr [ecx + 8], edx
            //   897110               | mov                 dword ptr [ecx + 0x10], esi
            //   894114               | mov                 dword ptr [ecx + 0x14], eax
            //   b801000000           | mov                 eax, 1

        $sequence_6 = { 893a 897204 83780400 7416 c6410835 b801000000 eb12 }
            // n = 7, score = 500
            //   893a                 | mov                 dword ptr [edx], edi
            //   897204               | mov                 dword ptr [edx + 4], esi
            //   83780400             | cmp                 dword ptr [eax + 4], 0
            //   7416                 | je                  0x18
            //   c6410835             | mov                 byte ptr [ecx + 8], 0x35
            //   b801000000           | mov                 eax, 1
            //   eb12                 | jmp                 0x14

        $sequence_7 = { 89e5 8a01 04fe 3c05 7748 }
            // n = 5, score = 500
            //   89e5                 | mov                 ebp, esp
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   04fe                 | add                 al, 0xfe
            //   3c05                 | cmp                 al, 5
            //   7748                 | ja                  0x4a

        $sequence_8 = { 89f1 660f70c944 660fef0d???????? f30f7f442430 f30f7f4c2440 c744245c00000000 ff7008 }
            // n = 7, score = 500
            //   89f1                 | mov                 ecx, esi
            //   660f70c944           | pshufd              xmm1, xmm1, 0x44
            //   660fef0d????????     |                     
            //   f30f7f442430         | movdqu              xmmword ptr [esp + 0x30], xmm0
            //   f30f7f4c2440         | movdqu              xmmword ptr [esp + 0x40], xmm1
            //   c744245c00000000     | mov                 dword ptr [esp + 0x5c], 0
            //   ff7008               | push                dword ptr [eax + 8]

        $sequence_9 = { eb5a 8d770c c6471101 8d4de4 }
            // n = 4, score = 500
            //   eb5a                 | jmp                 0x5c
            //   8d770c               | lea                 esi, [edi + 0xc]
            //   c6471101             | mov                 byte ptr [edi + 0x11], 1
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]

    condition:
        7 of them and filesize < 6313984
}
Download all Yara Rules