BlackCat

Background

BlackCat, also known as ALPHV or Noberus, emerged in November 2021 as the first major ransomware family written in the Rust programming language. This technical choice gave the ransomware cross-platform capabilities and strong performance while making analysis more difficult for security researchers. The group is widely believed to be a rebrand of the DarkSide/BlackMatter ransomware operations, with core members linked to Russian-speaking cybercriminal communities.

The BlackCat operation ran a sophisticated ransomware-as-a-service program that attracted skilled affiliates, including members of the Scattered Spider (Octo Tempest) group. BlackCat was among the first ransomware operations to implement triple extortion: encrypting data, threatening to leak stolen data, and launching DDoS attacks against victims who refused to negotiate. They also innovated by creating a searchable leak site that allowed anyone to search through stolen data.

In December 2023, the FBI seized BlackCat's infrastructure and released decryption keys. However, the group briefly resumed operations before apparently executing an exit scam in March 2024, stealing $22 million from an affiliate's ransom payment (reportedly from the Change Healthcare attack) and shuttering operations. Total damages attributed to BlackCat are estimated in the hundreds of millions of dollars, with the Change Healthcare attack alone causing an estimated $1.6 billion in damages to UnitedHealth Group.

Notable Campaigns

Change Healthcare (February 2024): The most damaging healthcare cyberattack in U.S. history. BlackCat affiliates (linked to Scattered Spider) compromised Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately one-third of all U.S. healthcare claims. The attack disrupted prescription processing, insurance claims, and payment systems across the entire U.S. healthcare system for weeks. UnitedHealth reportedly paid a $22 million ransom. Total damages exceeded $1.6 billion.

MGM Resorts (September 2023): Working with the Scattered Spider affiliate group, BlackCat attacked MGM Resorts International, causing an estimated $100 million in losses. The attack shut down hotel check-in systems, slot machines, ATMs, and restaurant POS systems across MGM properties in Las Vegas and worldwide. The initial access was gained through a social engineering call to MGM's IT help desk lasting only 10 minutes.

Caesars Entertainment (September 2023): In an attack closely related to the MGM incident, Scattered Spider affiliates also compromised Caesars Entertainment. Unlike MGM, Caesars reportedly paid approximately $15 million of a $30 million ransom demand to prevent data disclosure.

Reddit (February 2023): BlackCat claimed responsibility for breaching Reddit through a targeted phishing attack against an employee. The group stole approximately 80GB of data including internal documents, source code, and employee information. They demanded $4.5 million and threatened to leak the data.

Fidelity National Financial (November 2023): BlackCat attacked the major title insurance company, disrupting real estate transactions across the United States for approximately one week. The incident affected home closings and title searches for thousands of real estate transactions.

Tactics, Techniques & Procedures

BlackCat affiliates employ diverse initial access methods. The Scattered Spider affiliate group is particularly known for sophisticated social engineering, including SIM swapping, MFA fatigue attacks, and impersonating IT help desk staff. Other affiliates exploit internet-facing vulnerabilities, particularly in Microsoft Exchange (ProxyShell/ProxyNotShell), Fortinet VPNs, and Citrix appliances. Purchased credentials from initial access brokers are also commonly used.

The ransomware itself is highly configurable, allowing affiliates to customize encryption modes (full, fast, pattern-based), target specific file extensions, define processes and services to kill before encryption, and configure propagation methods. BlackCat can encrypt Windows, Linux, and VMware ESXi environments. The group used Impacket and Cobalt Strike (and later Brute Ratel C4) extensively for lateral movement.

Data exfiltration is typically performed using the custom ExMatter tool, which automatically identifies and uploads high-value files to attacker-controlled infrastructure. BlackCat also used a credential-stealing tool called Eamfo that specifically targeted Veeam backup software credentials, enabling them to compromise and destroy backup systems before deploying ransomware.

Tools & Malware

• BlackCat/ALPHV Ransomware: Rust-based ransomware with configurable encryption, supporting Windows, Linux, and VMware ESXi. Uses ChaCha20 or AES encryption with RSA key wrapping.
• ExMatter: Custom .NET data exfiltration tool that automatically identifies and uploads valuable file types (documents, databases, images) to attacker infrastructure via SFTP or WebDAV.
• Eamfo: Credential stealer targeting Veeam Backup & Replication software, extracting stored credentials from the Veeam database to facilitate backup destruction.
• Cobalt Strike / Brute Ratel C4: Commercial adversary simulation frameworks used for post-exploitation, lateral movement, and C2.
• Mimikatz: Windows credential harvesting, particularly targeting LSASS memory and Kerberos tickets.
• Impacket: Python-based collection of tools for network protocol interaction, used heavily for lateral movement (wmiexec, smbexec, psexec).
• Sphynx Loader: An updated loader variant used in later BlackCat campaigns with improved anti-detection capabilities.

Indicators & Detection

BlackCat ransomware encrypted files carry unique per-victim extensions (typically 6-7 random alphanumeric characters). Ransom notes are named RECOVER-[extension]-FILES.txt. The ransomware modifies the victim's desktop wallpaper to display a ransom message. On Linux/ESXi, look for unexpected Rust binary execution and mass VM shutdown commands.

Monitor for indicators of Scattered Spider TTPs if affiliates are involved: SIM swap reports from employees, unexpected MFA enrollment changes, help desk social engineering attempts, and suspicious Okta/Azure AD sign-in events from unusual locations or VPN providers. Alert on MFA fatigue patterns (multiple rapid MFA push notifications).

Network detection should focus on ExMatter's data staging and exfiltration patterns, particularly large SFTP or WebDAV transfers to unfamiliar destinations. Monitor for Brute Ratel C4 beacons, which are designed to evade traditional Cobalt Strike detection signatures. Implement strict controls on Veeam backup infrastructure, including network segmentation and monitoring of credential access to Veeam databases. Ensure backup systems are isolated and immutable copies are maintained offline.