BlackCat / ALPHV
What is BlackCat / ALPHV?
BlackCat / ALPHVA Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
BlackCat, also known as ALPHV or Noberus, surfaced in November 2021 and was widely assessed to be a rebrand of BlackMatter / DarkSide. It was one of the first major ransomware families written in Rust, with payloads for Windows, Linux, and ESXi. Affiliates kept 80-90 percent of ransoms and used triple-extortion tactics including data leaks, victim search portals, and DDoS. High-impact incidents include the September 2023 MGM Resorts and Caesars Entertainment intrusions, and the February 2024 Change Healthcare attack that disrupted US pharmacy claims for weeks. In December 2023 the FBI announced an infrastructure seizure and decryptor; BlackCat re-emerged briefly, then executed a publicised exit-scam in March 2024, refusing to pay the affiliate that hit Change Healthcare. Members are believed to have migrated to RansomHub and other RaaS.
● Examples
- 01
The September 2023 BlackCat / Scattered Spider attack on MGM Resorts disrupted hotel, gaming, and digital services across multiple casinos.
- 02
The February 2024 Change Healthcare incident attributed to BlackCat disrupted US healthcare claims and pharmacy operations on a national scale.
● Frequently asked questions
What is BlackCat / ALPHV?
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion. It belongs to the Defense & Operations category of cybersecurity.
What does BlackCat / ALPHV mean?
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
How does BlackCat / ALPHV work?
BlackCat, also known as ALPHV or Noberus, surfaced in November 2021 and was widely assessed to be a rebrand of BlackMatter / DarkSide. It was one of the first major ransomware families written in Rust, with payloads for Windows, Linux, and ESXi. Affiliates kept 80-90 percent of ransoms and used triple-extortion tactics including data leaks, victim search portals, and DDoS. High-impact incidents include the September 2023 MGM Resorts and Caesars Entertainment intrusions, and the February 2024 Change Healthcare attack that disrupted US pharmacy claims for weeks. In December 2023 the FBI announced an infrastructure seizure and decryptor; BlackCat re-emerged briefly, then executed a publicised exit-scam in March 2024, refusing to pay the affiliate that hit Change Healthcare. Members are believed to have migrated to RansomHub and other RaaS.
How do you defend against BlackCat / ALPHV?
Defences for BlackCat / ALPHV typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BlackCat / ALPHV?
Common alternative names include: ALPHV, Noberus, BlackCat RaaS.
● Related terms
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 624
LockBit
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
- defense-ops№ 215
Conti Ransomware
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
- defense-ops№ 928
REvil / Sodinokibi
A Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.