Skip to main content

Operator dossier

alphv (also tracked as BlackCat, Noberus) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 731 public victims claimed by this operator between September 9, 2021 and March 3, 2024. ALPHV, also known as BlackCat or Noberus, is a financially motivated ransomware group that emerged in September 2021 and rapidly established itself as one of the most sophisticated and prolific ransomware operations observed by researchers at Mandiant, CISA, and the FBI. The group is suspected to have Russian-speaking origins and operates as a Ransomware-as-a-Service (RaaS) platform, with well-documented links to former affiliates of the DarkSide and BlackMatter ransomware operations, suggesting a continuity of personnel and tradecraft across these successive rebrand events. ALPHV is technically distinguished by its use of Rust-based ransomware — an uncommon choice at the time of its emergence — which enabled cross-platform attacks against Windows, Linux, and VMware ESXi environments; the group employs multiple initial access vectors including compromised credentials, phishing, and exploitation of unpatched vulnerabilities, and routinely conducts double and triple extortion by exfiltrating sensitive data prior to encryption and threatening victims with public disclosure on their dedicated leak site, with some cases involving additional pressure through direct contact with victim customers and regulators. ALPHV has claimed responsibility for high-profile attacks against MGM Resorts International, Caesars Entertainment, Reddit, and healthcare provider Change Healthcare — the latter representing one of the most disruptive cyberattacks on the U.S. healthcare sector on record, with a reported ransom payment of approximately $22 million — and has accumulated over 731 known victims across the United States, Canada, Australia, the United Kingdom, and Germany, with particular concentration in business services, manufacturing, healthcare, technology, and financial services sectors. In December 2023, the FBI and international partners conducted a disruption operation against ALPHV's infrastructure and released a decryption tool for victims; however, the group subsequently attempted to rebrand and continued operations before an apparent final collapse in March 2024, following an alleged exit scam against affiliates after the Change Healthcare ransom payment, with law enforcement officially attributing the group's infrastructure seizure shortly thereafter.

Most-targeted sectors

Most-affected countries

Recent disclosures by alphv

Most recent 150 of 731 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for alphv

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

alphv

aka BlackCat, Noberus · 731 victims indexed · first seen 5 years ago · last activity 2 years ago

731
Victims indexed
#13 of 364 tracked operators
2y 6m
Active period
Sep 2021 → Mar 2024
30
Countries hit
top US · 92

At a glance

Status
inactive
Aliases
BlackCat, Noberus
First seen
5 years ago
Last activity
2 years ago
Onion sites
4 known endpoints
Primary sector
Business Services · 162 hits

About

ALPHV, also known as BlackCat or Noberus, is a financially motivated ransomware group that emerged in September 2021 and rapidly established itself as one of the most sophisticated and prolific ransomware operations observed by researchers at Mandiant, CISA, and the FBI. The group is suspected to have Russian-speaking origins and operates as a Ransomware-as-a-Service (RaaS) platform, with well-documented links to former affiliates of the DarkSide and BlackMatter ransomware operations, suggesting a continuity of personnel and tradecraft across these successive rebrand events. ALPHV is technically distinguished by its use of Rust-based ransomware — an uncommon choice at the time of its emergence — which enabled cross-platform attacks against Windows, Linux, and VMware ESXi environments; the group employs multiple initial access vectors including compromised credentials, phishing, and exploitation of unpatched vulnerabilities, and routinely conducts double and triple extortion by exfiltrating sensitive data prior to encryption and threatening victims with public disclosure on their dedicated leak site, with some cases involving additional pressure through direct contact with victim customers and regulators. ALPHV has claimed responsibility for high-profile attacks against MGM Resorts International, Caesars Entertainment, Reddit, and healthcare provider Change Healthcare — the latter representing one of the most disruptive cyberattacks on the U.S. healthcare sector on record, with a reported ransom payment of approximately $22 million — and has accumulated over 731 known victims across the United States, Canada, Australia, the United Kingdom, and Germany, with particular concentration in business services, manufacturing, healthcare, technology, and financial services sectors. In December 2023, the FBI and international partners conducted a disruption operation against ALPHV's infrastructure and released a decryption tool for victims; however, the group subsequently attempted to rebrand and continued operations before an apparent final collapse in March 2024, following an alleged exit scam against affiliates after the Change Healthcare ransom payment, with law enforcement officially attributing the group's infrastructure seizure shortly thereafter.

References

53 links

External sources curated by the MISP threat-intel community.

Timeline

16 months
2021-09-01T00:00:00+00:00 · 12021-12-01T00:00:00+00:00 · 132022-01-01T00:00:00+00:00 · 132022-02-01T00:00:00+00:00 · 132022-05-01T00:00:00+00:00 · 32022-08-01T00:00:00+00:00 · 22023-03-01T00:00:00+00:00 · 12023-07-01T00:00:00+00:00 · 4172023-08-01T00:00:00+00:00 · 432023-09-01T00:00:00+00:00 · 512023-10-01T00:00:00+00:00 · 342023-11-01T00:00:00+00:00 · 532023-12-01T00:00:00+00:00 · 282024-01-01T00:00:00+00:00 · 232024-02-01T00:00:00+00:00 · 312024-03-01T00:00:00+00:00 · 5
2021-09-01T00:00:00+00:002024-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
92
🇨🇦 Canada
25
🇦🇺 Australia
21
🇬🇧 United Kingdom
19
🇩🇪 Germany
13
🇮🇹 Italy
11
🇫🇷 France
11
🇧🇷 Brazil
11

Top sectors

Business Services
162
Manufacturing
112
Healthcare
68
Technology
60
Financial Services
55
Consumer Services
46
Construction
41
Energy
36

MITRE ATT&CK

40 techniques · 11 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1133External Remote Services
  • T1078Valid Accounts
  • T1566.001Phishing: Spearphishing Attachment
  • T1059.001Command and Scripting Interpreter: PowerShell
  • T1059.003Command and Scripting Interpreter: Windows Command Shell
  • T1059.004Command and Scripting Interpreter: Unix Shell
  • T1106Native API
  • T1543.003Create or Modify System Process: Windows Service
  • T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1134Access Token Manipulation
  • T1562.001Impair Defenses: Disable or Modify Tools
  • T1562.009Impair Defenses: Safe Mode Boot
  • T1027Obfuscated Files or Information
  • T1036Masquerading
  • T1112Modify Registry
  • T1003.001OS Credential Dumping: LSASS Memory
  • T1003.002OS Credential Dumping: Security Account Manager
  • T1110Brute Force
  • T1021.001Remote Services: Remote Desktop Protocol
  • T1021.002Remote Services: SMB/Windows Admin Shares
  • T1021.006Remote Services: Windows Remote Management
  • T1570Lateral Tool Transfer
  • T1018Remote System Discovery
  • T1082System Information Discovery
  • T1083File and Directory Discovery
  • T1135Network Share Discovery
  • T1057Process Discovery
  • T1016System Network Configuration Discovery
  • T1039Data from Network Shared Drive
  • T1074.001Data Staged: Local Data Staging
  • T1560Archive Collected Data
  • T1048Exfiltration Over Alternative Protocol
  • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • T1486Data Encrypted for Impact
  • T1489Service Stop
  • T1490Inhibit System Recovery
  • T1491.002Defacement: External Defacement
  • T1657Financial Theft

Detection · YARA rules

1 rule
  • Ransom_Win_BlackCat

    YARA rule from ATR/Trellix: ransomware/Ransom_Win_BlackCat_public.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

4 known
  • http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion
  • http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
  • http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion
  • http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time alphv posts a victim.

Add alphv to your watchlist — Pro pings you within 5 minutes of any new alphv leak-site post, Telegram callout, or affiliate-rebrand inference.