A new Russian ransomware group known as ALPHV, also known as BlackCat or Noberus, appeared with its first posts in late November 2021. Since then, they have been very active in running ransomware attacks. There are more than 108 findings for ALPHV in just six months on the SOCRadar platform.
Who is BlackCat?
According to the interview given by the group members, the actual name of the group was ALPHV. The name BlackCat was just the name of the ransomware. However, because the group was more prominent with ransomware, it was known as BlackCat in the dark web world. That’s why from the end of March, the gang switched to a format that would emphasize BlackCat more in their posts, and they are now putting more emphasis on BlackCat.
Their primary motivation is money, and they do not have a specific target country. There are different subjects from Kuwait, Thailand, and America among its recent victims. Further, ALPHV operates ransomware as a service model and has put the focus on looking to recruit affiliates.
ALPHV has posted to many Russian and Sino-Russian websites since its first post. Their posts include promotions and indications claiming “a new era of ransomware.” According to these posts, they have claimed to have new code and decentralized architecture. ALPHV is also bringing more attention to protecting themselves by siloing attacks with one website per affected company and affiliate. ALPHV presents an adorable payment share with somewhere between 80-90% of the ransom going to the affiliate.
The FBI published a notice concerning the actions of the threat group in April 2022. The Bureau expresses that the gang’s ransomware has been used to attack at least 60 associations worldwide. There’s something distinct about the ransomware and the code of BlackCat. This ransomware is unique because it was coded employing the Rust programming language. The FBI warning remarks that Rust is “considered a more secure programming language that offers improved performance and reliable concurrent processing.”
BlackCat operators were former members of the REvil gang, which suggests that the ALPHV ransomware gang is most likely associated with the REvil ransomware group. Also, a member of the LockBit ransomware group has asserted that BlackCat is a new version of DarkSide. However, no evidential similarity has been found in available IOCs yet.
BlackCat Attacks Swissport
The BlackCat gang launched an attack on an aviation company, Swissport, in February 2022. The ransomware attack was announced on the group website monitored by SOCRadar: “In 2021, Swissport International AG provided best-in-class airport ground services for some 97 million airline passengers and handled roughly 5.1 million tons of air freight at over 100 cargo warehouses worldwide. We will share a link to let you download more samples soon. If you’re interested in buying the whole dump (1.6TB) of data or some part of it, reach us”.
The Austrian Federal State of Kärnten Ransomware Attack
In a more recent attack, BlackCat launched an attack on the Austrian federal state of Carinthia (Kärnten). The group asked for a $5 million ransom to unlock the encrypted computer systems. In the AlphVM Blackcat ransomware group website monitored, data leaks detected allegedly belong to the Administration of the state of Carinthia.
As said above, the ransomware gang has been very active recently. During the first three weeks of August of 2022, five new ransomware victims were announced on the BlackCat (AlphVM) ransomware group website monitored by SOCRadar.