Reading:
Dark Web Profile: BlackCat (ALPHV)

Dark Web Profile: BlackCat (ALPHV)

August 26, 2022

A new Russian ransomware group known as ALPHV, also known as BlackCat or Noberus, appeared with its first posts in late November 2021. Since then, they have been very active in running ransomware attacks. There are more than 108 findings for ALPHV in just six months on the SOCRadar platform.

Who is BlackCat? 

According to the interview given by the group members, the actual name of the group was ALPHV. The name BlackCat was just the name of the ransomware. However, because the group was more prominent with ransomware, it was known as BlackCat in the dark web world. That’s why from the end of March, the gang switched to a format that would emphasize BlackCat more in their posts, and they are now putting more emphasis on BlackCat. 

Their primary motivation is money, and they do not have a specific target country. There are different subjects from Kuwait, Thailand, and America among its recent victims. Further, ALPHV operates ransomware as a service model and has put the focus on looking to recruit affiliates.

BlackCat ransomware announcing their one of the victims.
BlackCat ransomware announcing their one of the victims.

ALPHV has posted to many Russian and Sino-Russian websites since its first post. Their posts include promotions and indications claiming “a new era of ransomware.” According to these posts, they have claimed to have new code and decentralized architecture. ALPHV is also bringing more attention to protecting themselves by siloing attacks with one website per affected company and affiliate. ALPHV presents an adorable payment share with somewhere between 80-90% of the ransom going to the affiliate.

Another victim announcement by BlackCat.
Another victim announcement by BlackCat.

The FBI published a notice concerning the actions of the threat group in April 2022. The Bureau expresses that the gang’s ransomware has been used to attack at least 60 associations worldwide. There’s something distinct about the ransomware and the code of BlackCat. This ransomware is unique because it was coded employing the Rust programming language. The FBI warning remarks that Rust is “considered a more secure programming language that offers improved performance and reliable concurrent processing.”

BlackCat operators were former members of the REvil gang, which suggests that the ALPHV ransomware gang is most likely associated with the REvil ransomware group. Also, a member of the LockBit ransomware group has asserted that BlackCat is a new version of DarkSide. However, no evidential similarity has been found in available IOCs yet.

BlackCat Attacks Swissport

BlackCat has put 1.6 TB of data for sale that it claims belongs to Swissport.
BlackCat has put 1.6 TB of data for sale that it claims belongs to Swissport.

The BlackCat gang launched an attack on an aviation company, Swissport, in February 2022. The ransomware attack was announced on the group website monitored by SOCRadar: “In 2021, Swissport International AG provided best-in-class airport ground services for some 97 million airline passengers and handled roughly 5.1 million tons of air freight at over 100 cargo warehouses worldwide. We will share a link to let you download more samples soon. If you’re interested in buying the whole dump (1.6TB) of data or some part of it, reach us”.  

The Austrian Federal State of Kärnten Ransomware Attack

Group's post about the Karntern attack.
Group’s post about the Karntern attack.

In a more recent attack, BlackCat launched an attack on the Austrian federal state of Carinthia (Kärnten). The group asked for a $5 million ransom to unlock the encrypted computer systems. In the AlphVM Blackcat ransomware group website monitored, data leaks detected allegedly belong to the Administration of the state of Carinthia.

As said above, the ransomware gang has been very active recently. During the first three weeks of August of 2022, five new ransomware victims were announced on the BlackCat (AlphVM) ransomware group website monitored by SOCRadar.

IoCs

Windows Variant

bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117

28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169

2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc

5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f

c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283

658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582

7154fdb1ef9044da59fcfdbdd1ed9abc1a594cacb41a0aeddb5cd9fdaeea5ea8

c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486

cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

b588823eb5c65f36d067d496881d9c704d3ba57100c273656a56a43215f35442

7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e

3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1

7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487

cda37b13d1fdee1b4262b5a6146a35d8fc88fa572e55437a47a950037cc65d40

F837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

Linux Variant

f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6

5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42