Inactive ransomware operator
← All groupsalphv
aka BlackCat, Noberus · 731 victims indexed · first seen 5 years ago · last activity 2 years ago
At a glance
- Status
- inactive
- Aliases
- BlackCat, Noberus
- First seen
- 5 years ago
- Last activity
- 2 years ago
- Onion sites
- 4 known endpoints
- Primary sector
- Business Services · 162 hits
About
References
53 linksExternal sources curated by the MISP threat-intel community.
- malpedia.caad.fkie.fraunhofer.de/details/win.blackcat
- 1-id--ransomware-blogspot-com.translate.goog/2021/12/blackcat-ransomware.html?_x_tr_enc=1&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru
- medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809
- github.com/f0wl/blackCatConf
- sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
- varonis.com/blog/alphv-blackcat-ransomware
- intrinsec.com/alphv-ransomware-gang-analysis
- unit42.paloaltonetworks.com/blackcat-ransomware/
- cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat
- microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- blog.emsisoft.com/en/40931/ransomware-profile-alphv/
- blog.group-ib.com/blackcat
- blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
- blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
- killingthebear.jorgetesta.tech/actors/alphv
- krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/
- news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
- query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
- securelist.com/a-bad-luck-blackcat/106254/
- securelist.com/new-ransomware-trends-in-2022/106457/
Timeline
16 monthsTop countries
Top sectors
MITRE ATT&CK
40 techniques · 11 tacticsTactics
Techniques
- T1190Exploit Public-Facing Application
- T1133External Remote Services
- T1078Valid Accounts
- T1566.001Phishing: Spearphishing Attachment
- T1059.001Command and Scripting Interpreter: PowerShell
- T1059.003Command and Scripting Interpreter: Windows Command Shell
- T1059.004Command and Scripting Interpreter: Unix Shell
- T1106Native API
- T1543.003Create or Modify System Process: Windows Service
- T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
- T1134Access Token Manipulation
- T1562.001Impair Defenses: Disable or Modify Tools
- T1562.009Impair Defenses: Safe Mode Boot
- T1027Obfuscated Files or Information
- T1036Masquerading
- T1112Modify Registry
- T1003.001OS Credential Dumping: LSASS Memory
- T1003.002OS Credential Dumping: Security Account Manager
- T1110Brute Force
- T1021.001Remote Services: Remote Desktop Protocol
- T1021.002Remote Services: SMB/Windows Admin Shares
- T1021.006Remote Services: Windows Remote Management
- T1570Lateral Tool Transfer
- T1018Remote System Discovery
- T1082System Information Discovery
- T1083File and Directory Discovery
- T1135Network Share Discovery
- T1057Process Discovery
- T1016System Network Configuration Discovery
- T1039Data from Network Shared Drive
- T1074.001Data Staged: Local Data Staging
- T1560Archive Collected Data
- T1048Exfiltration Over Alternative Protocol
- T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
- T1486Data Encrypted for Impact
- T1489Service Stop
- T1490Inhibit System Recovery
- T1491.002Defacement: External Defacement
- T1657Financial Theft
Detection · YARA rules
1 ruleRansom_Win_BlackCat
YARA rule from ATR/Trellix: ransomware/Ransom_Win_BlackCat_public.yar
source: ATR/Trellix
Recent victims
Loading…
Onion infrastructure
4 known- http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion
- http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
- http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion
- http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion
Source
Updated 2 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.
Get alerted the next time alphv posts a victim.
Add alphv to your watchlist — Pro pings you within 5 minutes of any new alphv leak-site post, Telegram callout, or affiliate-rebrand inference.

