Skip to main content

Operator dossier

ALPHV/BlackCat (also tracked as ALPHV, BlackCat, Noberus) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1,662 public victims claimed by this operator between September 9, 2021 and March 3, 2024. ALPHV, also known as BlackCat or Noberus, is a sophisticated ransomware-as-a-service operation that emerged in November 2021 and quickly became one of the most prolific ransomware groups globally, driven by financial motivations and responsible for compromising over 930 victims worldwide. The group is believed to be operated by Russian-speaking cybercriminals and represents an evolution of the BlackMatter ransomware operation, operating under a RaaS model that recruits experienced affiliates from other disbanded ransomware groups. ALPHV employs a multi-faceted attack methodology utilizing various initial access vectors including compromised Remote Desktop Protocol credentials, phishing campaigns, and exploitation of unpatched vulnerabilities, followed by deployment of their Rust-based ransomware payload that supports both Windows and Linux environments, while consistently employing double extortion tactics that involve data theft prior to encryption and threats to publish stolen information on their leak site. Notable campaigns include high-profile attacks against critical infrastructure and major corporations across healthcare, finance, and energy sectors, with the group demanding ransoms ranging from hundreds of thousands to millions of dollars, prompting the FBI and CISA to issue multiple advisories warning of their targeting of critical infrastructure organizations. As of early 2024, ALPHV remains active despite ongoing law enforcement efforts, continuing to evolve their tactics and maintain their position as one of the most significant ransomware threats globally.

Most-targeted sectors

Most-affected countries

Recent disclosures by ALPHV/BlackCat

Most recent 150 of 1,662 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for ALPHV/BlackCat

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

ALPHV/BlackCat

aka ALPHV, BlackCat, Noberus · 1,662 victims indexed · first seen 5 years ago · last activity 2 years ago

1,662
Victims indexed
#7 of 364 tracked operators
2y 6m
Active period
Sep 2021 → Mar 2024
30
Countries hit
top United States · 755

At a glance

Status
inactive
Aliases
ALPHV, BlackCat, Noberus
First seen
5 years ago
Last activity
2 years ago
Onion sites
7 known endpoints
Primary sector
Healthcare · 194 hits

About

ALPHV, also known as BlackCat or Noberus, is a sophisticated ransomware-as-a-service operation that emerged in November 2021 and quickly became one of the most prolific ransomware groups globally, driven by financial motivations and responsible for compromising over 930 victims worldwide. The group is believed to be operated by Russian-speaking cybercriminals and represents an evolution of the BlackMatter ransomware operation, operating under a RaaS model that recruits experienced affiliates from other disbanded ransomware groups. ALPHV employs a multi-faceted attack methodology utilizing various initial access vectors including compromised Remote Desktop Protocol credentials, phishing campaigns, and exploitation of unpatched vulnerabilities, followed by deployment of their Rust-based ransomware payload that supports both Windows and Linux environments, while consistently employing double extortion tactics that involve data theft prior to encryption and threats to publish stolen information on their leak site. Notable campaigns include high-profile attacks against critical infrastructure and major corporations across healthcare, finance, and energy sectors, with the group demanding ransoms ranging from hundreds of thousands to millions of dollars, prompting the FBI and CISA to issue multiple advisories warning of their targeting of critical infrastructure organizations. As of early 2024, ALPHV remains active despite ongoing law enforcement efforts, continuing to evolve their tactics and maintain their position as one of the most significant ransomware threats globally.

References

53 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2022-04-01T00:00:00+00:00 · 142022-05-01T00:00:00+00:00 · 122022-06-01T00:00:00+00:00 · 52022-07-01T00:00:00+00:00 · 92022-08-01T00:00:00+00:00 · 72022-09-01T00:00:00+00:00 · 52022-10-01T00:00:00+00:00 · 52022-11-01T00:00:00+00:00 · 82022-12-01T00:00:00+00:00 · 62023-01-01T00:00:00+00:00 · 52023-02-01T00:00:00+00:00 · 62023-03-01T00:00:00+00:00 · 82023-04-01T00:00:00+00:00 · 242023-05-01T00:00:00+00:00 · 172023-06-01T00:00:00+00:00 · 92023-07-01T00:00:00+00:00 · 8432023-08-01T00:00:00+00:00 · 862023-09-01T00:00:00+00:00 · 1052023-10-01T00:00:00+00:00 · 692023-11-01T00:00:00+00:00 · 1102023-12-01T00:00:00+00:00 · 572024-01-01T00:00:00+00:00 · 462024-02-01T00:00:00+00:00 · 632024-03-01T00:00:00+00:00 · 12
2022-04-01T00:00:00+00:002024-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
755
🇬🇧 United Kingdom
80
🇨🇦 Canada
69
🇩🇪 Germany
53
🇦🇺 Australia
44
🇮🇹 Italy
32
🇪🇸 Spain
31
🇫🇷 France
29

Top sectors

Healthcare
194
Manufacturing
182
Technology
128
Business Services
118
Construction
109
Legal
96
Financial Services
88
Education
51

MITRE ATT&CK

8 techniques · 7 tactics

Tactics

Initial AccessExecutionDefense EvasionCredential AccessLateral MovementExfiltrationImpact

Techniques

Indicators of compromise

Known tools

Cobalt StrikeBrute RatelEvilginx2Mimikatz

File hashes

  • SHA256 847fb7609af3e58e50fc2e63e6b5b87bd5c3f7c5d115cf5c0e0a8ed85c5cfaf5
    BlackCat payload (Rust)

Domains

  • alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion

Detection · YARA rules

1 rule
  • Ransom_Win_BlackCat

    YARA rule from ATR/Trellix: ransomware/Ransom_Win_BlackCat_public.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

7 known
  • http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion
  • http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/6
  • http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/search
  • http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion/api/blog/brief/0/100
  • http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
  • http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion
  • http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time ALPHV/BlackCat posts a victim.

Add ALPHV/BlackCat to your watchlist — Pro pings you within 5 minutes of any new ALPHV/BlackCat leak-site post, Telegram callout, or affiliate-rebrand inference.